Malware Analysis Report

2025-06-16 06:21

Sample ID 231129-rxn6dsgh95
Target SPAM.zip
SHA256 007871c3d69e14c43585420eebe845ecebdd6c96affd74eb37b831a328ece740
Tags
agenttesla keylogger spyware stealer trojan nanocore evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

007871c3d69e14c43585420eebe845ecebdd6c96affd74eb37b831a328ece740

Threat Level: Known bad

The file SPAM.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan nanocore evasion persistence

AgentTesla

NanoCore

Blocklisted process makes network request

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Launches Equation Editor

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-29 14:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10v2004-20231127-en

Max time kernel

144s

Max time network

273s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/820-0-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-2-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-1-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-3-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-5-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-6-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-4-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-7-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-8-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-9-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-11-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-10-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-12-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-13-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-14-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-15-0x00007FFE95390000-0x00007FFE953A0000-memory.dmp

memory/820-16-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-17-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-19-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-18-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-20-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-21-0x00007FFE95390000-0x00007FFE953A0000-memory.dmp

memory/820-22-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-23-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-33-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-34-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-35-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-36-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-59-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-60-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-63-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-61-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-62-0x00007FFE97B50000-0x00007FFE97B60000-memory.dmp

memory/820-64-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

memory/820-65-0x00007FFED7AD0000-0x00007FFED7CC5000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win7-20231023-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2152 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe
PID 2152 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:443 api.ipify.org tcp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp

Files

memory/2152-0-0x0000000000890000-0x0000000000962000-memory.dmp

memory/2152-1-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2152-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2152-3-0x0000000000260000-0x0000000000270000-memory.dmp

memory/2152-4-0x00000000002E0000-0x00000000002E6000-memory.dmp

memory/2152-5-0x00000000002F0000-0x00000000002FA000-memory.dmp

memory/2152-6-0x0000000005040000-0x00000000050DA000-memory.dmp

memory/2152-7-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2152-8-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2740-9-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-10-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-11-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2740-15-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2740-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2152-20-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2740-21-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2740-22-0x0000000004490000-0x00000000044D0000-memory.dmp

memory/2740-23-0x0000000074A90000-0x000000007517E000-memory.dmp

memory/2740-24-0x0000000004490000-0x00000000044D0000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10-20231025-en

Max time kernel

187s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2516 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 19.112.20.198.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp

Files

memory/2516-0-0x0000000000E40000-0x0000000000F12000-memory.dmp

memory/2516-1-0x00000000732C0000-0x00000000739AE000-memory.dmp

memory/2516-2-0x0000000005C00000-0x00000000060FE000-memory.dmp

memory/2516-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/2516-4-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/2516-5-0x0000000005780000-0x000000000578A000-memory.dmp

memory/2516-6-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/2516-7-0x0000000005AE0000-0x0000000005AE6000-memory.dmp

memory/2516-8-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

memory/2516-9-0x0000000007240000-0x00000000072DA000-memory.dmp

memory/2516-10-0x0000000007440000-0x00000000074DC000-memory.dmp

memory/2516-11-0x00000000732C0000-0x00000000739AE000-memory.dmp

memory/2516-12-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4132-13-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Promac S.A.220172615415415.DOC.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/2516-16-0x00000000732C0000-0x00000000739AE000-memory.dmp

memory/4132-17-0x00000000732C0000-0x00000000739AE000-memory.dmp

memory/4132-18-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/4132-19-0x0000000004F50000-0x0000000004FB6000-memory.dmp

memory/4132-20-0x0000000006360000-0x00000000063B0000-memory.dmp

memory/4132-21-0x00000000732C0000-0x00000000739AE000-memory.dmp

memory/4132-22-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win11-20231128-en

Max time kernel

153s

Max time network

195s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1432 set thread context of 3524 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp

Files

memory/1432-1-0x0000000000F80000-0x0000000001052000-memory.dmp

memory/1432-0-0x0000000074550000-0x0000000074D01000-memory.dmp

memory/1432-2-0x0000000006090000-0x0000000006636000-memory.dmp

memory/1432-3-0x0000000005B80000-0x0000000005C12000-memory.dmp

memory/1432-4-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/1432-5-0x0000000005B20000-0x0000000005B2A000-memory.dmp

memory/1432-6-0x0000000005D90000-0x0000000005DA0000-memory.dmp

memory/1432-7-0x0000000005DC0000-0x0000000005DC6000-memory.dmp

memory/1432-8-0x0000000005DD0000-0x0000000005DDA000-memory.dmp

memory/1432-9-0x00000000076E0000-0x000000000777A000-memory.dmp

memory/1432-10-0x0000000009D30000-0x0000000009DCC000-memory.dmp

memory/1432-11-0x0000000074550000-0x0000000074D01000-memory.dmp

memory/1432-12-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/3524-13-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Promac S.A.220172615415415.DOC.exe.log

MD5 7e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA256 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512 de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

memory/3524-17-0x0000000074550000-0x0000000074D01000-memory.dmp

memory/1432-16-0x0000000074550000-0x0000000074D01000-memory.dmp

memory/3524-18-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/3524-19-0x0000000005510000-0x0000000005576000-memory.dmp

memory/3524-20-0x0000000006A70000-0x0000000006AC0000-memory.dmp

memory/3524-21-0x0000000074550000-0x0000000074D01000-memory.dmp

memory/3524-22-0x0000000005490000-0x00000000054A0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10v2004-20231127-en

Max time kernel

135s

Max time network

263s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp

Files

memory/2272-0-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-2-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-1-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-3-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-4-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-5-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-7-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-6-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-8-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-9-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-10-0x00007FFCA9000000-0x00007FFCA9010000-memory.dmp

memory/2272-11-0x00007FFCA9000000-0x00007FFCA9010000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2272-32-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-33-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-34-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-58-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-59-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-61-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-60-0x00007FFCAB750000-0x00007FFCAB760000-memory.dmp

memory/2272-62-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-63-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-64-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

memory/2272-65-0x00007FFCEB6D0000-0x00007FFCEB8C5000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win11-20231128-en

Max time kernel

140s

Max time network

272s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Network

Files

memory/2108-0-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-1-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-3-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-4-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-2-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-5-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-6-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-7-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-8-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-9-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-10-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-11-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-12-0x00007FF9F0BD0000-0x00007FF9F0BE0000-memory.dmp

memory/2108-13-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-14-0x00007FFA31BD0000-0x00007FFA31C8D000-memory.dmp

memory/2108-15-0x00007FF9F0BD0000-0x00007FF9F0BE0000-memory.dmp

memory/2108-20-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-21-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-22-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-23-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-46-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-47-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-48-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-49-0x00007FF9F3470000-0x00007FF9F3480000-memory.dmp

memory/2108-50-0x00007FFA333E0000-0x00007FFA335E9000-memory.dmp

memory/2108-51-0x00007FFA31BD0000-0x00007FFA31C8D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win11-20231128-en

Max time kernel

199s

Max time network

266s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 1684 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp

Files

memory/1684-0-0x0000000000E30000-0x0000000000F02000-memory.dmp

memory/1684-1-0x0000000074BD0000-0x0000000075381000-memory.dmp

memory/1684-2-0x0000000006080000-0x0000000006626000-memory.dmp

memory/1684-3-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/1684-4-0x0000000005C90000-0x0000000005CA0000-memory.dmp

memory/1684-5-0x0000000005A50000-0x0000000005A5A000-memory.dmp

memory/1684-6-0x0000000005B50000-0x0000000005B60000-memory.dmp

memory/1684-7-0x0000000005B80000-0x0000000005B86000-memory.dmp

memory/1684-8-0x0000000005B90000-0x0000000005B9A000-memory.dmp

memory/1684-9-0x0000000007580000-0x000000000761A000-memory.dmp

memory/1684-10-0x0000000009BD0000-0x0000000009C6C000-memory.dmp

memory/1684-11-0x0000000074BD0000-0x0000000075381000-memory.dmp

memory/1684-12-0x0000000005C90000-0x0000000005CA0000-memory.dmp

memory/1644-13-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROMAC_S.exe.log

MD5 7e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1 765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA256 4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512 de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

memory/1644-16-0x0000000074BD0000-0x0000000075381000-memory.dmp

memory/1684-17-0x0000000074BD0000-0x0000000075381000-memory.dmp

memory/1644-18-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/1644-19-0x0000000005140000-0x00000000051A6000-memory.dmp

memory/1644-20-0x00000000067C0000-0x0000000006810000-memory.dmp

memory/1644-21-0x0000000074BD0000-0x0000000075381000-memory.dmp

memory/1644-22-0x0000000004F70000-0x0000000004F80000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:40

Platform

win11-20231128-en

Max time kernel

139s

Max time network

272s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Network

Files

memory/1320-0-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-2-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-4-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-3-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-1-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-5-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-6-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-8-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-7-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-9-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-10-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-11-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-12-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-13-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-14-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-15-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-16-0x00007FF8C6200000-0x00007FF8C62BD000-memory.dmp

memory/1320-17-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-18-0x00007FF884E10000-0x00007FF884E20000-memory.dmp

memory/1320-19-0x00007FF884E10000-0x00007FF884E20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1320-35-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-36-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-37-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-38-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-39-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-40-0x00007FF8C6200000-0x00007FF8C62BD000-memory.dmp

memory/1320-41-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-65-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-66-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-68-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-67-0x00007FF887370000-0x00007FF887380000-memory.dmp

memory/1320-69-0x00007FF8C72E0000-0x00007FF8C74E9000-memory.dmp

memory/1320-70-0x00007FF8C6200000-0x00007FF8C62BD000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win7-20231023-en

Max time kernel

270s

Max time network

301s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2768 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2768 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2768 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2684 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1140 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1140 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1140 wrote to memory of 1912 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\plugman75907.exe

"C:\Users\Admin\AppData\Roaming\plugman75907.exe"

C:\Users\Admin\AppData\Roaming\plugman75907.exe

"C:\Users\Admin\AppData\Roaming\plugman75907.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEDF7.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEF7E.tmp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 zang1.almashreaq.top udp
US 172.67.221.26:80 zang1.almashreaq.top tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp

Files

memory/1140-0-0x000000002F561000-0x000000002F562000-memory.dmp

memory/1140-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1140-2-0x000000007106D000-0x0000000071078000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2684-14-0x0000000000A00000-0x0000000000AAA000-memory.dmp

memory/2684-16-0x000000006ACD0000-0x000000006B3BE000-memory.dmp

memory/2684-17-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/2684-22-0x0000000000570000-0x000000000058A000-memory.dmp

memory/2684-23-0x0000000000590000-0x0000000000598000-memory.dmp

memory/2684-24-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/2684-25-0x0000000005AD0000-0x0000000005B42000-memory.dmp

memory/1968-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1968-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1968-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1968-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1968-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1968-32-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/1968-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2684-37-0x000000006ACD0000-0x000000006B3BE000-memory.dmp

memory/1968-38-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1140-39-0x000000007106D000-0x0000000071078000-memory.dmp

memory/1968-40-0x000000006AD10000-0x000000006B3FE000-memory.dmp

memory/1968-41-0x0000000000480000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEDF7.tmp

MD5 8e3b0eae623035f63ea2615d66f690c3
SHA1 53e1ec94bef459f5865851da899ca36e8c237181
SHA256 9481f3e69976cc0f33f0ff687d7f98f9c12aabe7f27ca2e49b339dd81779ca03
SHA512 ad14e0138bd94cde239423adba252a8ede0b9e9b2c43d189524ae640d8fff3b9cbfa70e530506128f760a53aafa022dcb3639f9502dfc71d721215c89d5b7ea6

C:\Users\Admin\AppData\Local\Temp\tmpEF7E.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/1968-49-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/1968-50-0x0000000000610000-0x000000000062E000-memory.dmp

memory/1968-51-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/1968-54-0x0000000000680000-0x0000000000692000-memory.dmp

memory/1968-55-0x0000000000690000-0x00000000006AA000-memory.dmp

memory/1968-56-0x0000000002040000-0x000000000204E000-memory.dmp

memory/1968-57-0x0000000002180000-0x0000000002192000-memory.dmp

memory/1968-58-0x0000000002280000-0x000000000228E000-memory.dmp

memory/1968-59-0x0000000002290000-0x000000000229C000-memory.dmp

memory/1968-60-0x00000000022A0000-0x00000000022B4000-memory.dmp

memory/1968-61-0x00000000043B0000-0x00000000043C0000-memory.dmp

memory/1968-62-0x00000000043C0000-0x00000000043D4000-memory.dmp

memory/1968-63-0x00000000043D0000-0x00000000043DE000-memory.dmp

memory/1968-64-0x00000000043F0000-0x000000000441E000-memory.dmp

memory/1968-65-0x0000000004460000-0x0000000004474000-memory.dmp

memory/1968-68-0x000000006AD10000-0x000000006B3FE000-memory.dmp

memory/1968-69-0x0000000000480000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9f8b3afaa14b3c3a02bb4bc92ad26999
SHA1 02717851ac03ab417043934b1fdc30ea09cc67de
SHA256 ea5ce9b31834d0529e66a45cf3f9c71abd8c7812bf6fe1c8143858c1cd5017ed
SHA512 e0a7b3870a8bdeb782bdac737ff06067bfbe47bdcbd3273454550c5fbf6e894de94d56ad290a23c155cd503198ae0819f39e0138f0fa2fa7ad8b5a350f0f965d

memory/1140-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1140-88-0x000000007106D000-0x0000000071078000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win7-20231020-en

Max time kernel

270s

Max time network

302s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1644 set thread context of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1644 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2912 wrote to memory of 1644 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2912 wrote to memory of 1644 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2912 wrote to memory of 1644 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1644 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2268 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2268 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2024 wrote to memory of 1244 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2024 wrote to memory of 1244 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2024 wrote to memory of 1244 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2024 wrote to memory of 1244 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA43.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SCSI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAC47.tmp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 zang3.conyersdill.top udp
US 172.67.223.227:80 zang3.conyersdill.top tcp
US 172.67.223.227:80 zang3.conyersdill.top tcp
US 8.8.8.8:53 zang1.almashreaq.top udp
US 104.21.70.74:80 zang1.almashreaq.top tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp

Files

memory/2024-0-0x000000002F241000-0x000000002F242000-memory.dmp

memory/2024-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2024-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{036F5B8B-43E7-49AC-B61E-7151F4EE272D}

MD5 a1a4a363ae65b33c9ededaebe55fa950
SHA1 1d3068b6a83dd026b931f179a809065c47161547
SHA256 fb24b0ec0766431fdae19d248daa39500296c2a81efada953fe689aec78508ad
SHA512 e9c3d3addd03c99e904069a0672ba2b7bbe52f6b9af71de4ba82a53e5fec5657f1770473a8f31128b1fb35fe5dee9dbb7aa663f9d7d6825eba68361436c8fa89

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{320F262B-D90A-4C08-B3E8-B4328BA54246}.FSD

MD5 e5231089fd720f96997b6d73c76f5ca2
SHA1 0b6d7cb397c40587249103da2b7500ac09ffd602
SHA256 0259647df3dd912806671f7d91334dd65cb4fce2da656b0aa0db7aa1d7658a70
SHA512 199781cdd1759079e12acb14cf5baf124842bda7d6fe00ac560233672d4a0bb03bda5f971dec02e20a999976bd11f90d59cc550f1a7f60aeb73f9cd06459fa66

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{320F262B-D90A-4C08-B3E8-B4328BA54246}.FSD

MD5 d9f522bf00f91cb75ae657c9c2bdb688
SHA1 e7e4cfc09675197abe52fe1cad41f0fcab1985db
SHA256 6d6e772627a497bd190943e49a4ca19e06e3807a536ff6d8e6cadb447a20ddb6
SHA512 eefd8062ac3404c285a52f44b58ecb3185d04fe86405368e8974c5fec759413937762cc9ce7ab8cc4a88f2b9457699c13946da8b6bd4cea85aab28f42b547bdc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 c4403a46e87f6bc1def1c1215b0b29e7
SHA1 e0b35e09646770a7e9ec05b203c08c54742cb577
SHA256 0f7f75cc25f3eb5adaeff95e65c3877e29baa03d442d740d378e853168f40c21
SHA512 964161c0a7a745a16bfbbac4e9823aad570cef7b5eb0f5cde695f83541be8e4db3654f8b01679495eca8afcfc6f6cc4c7dff0a5ca7a986c4a66c000918df2915

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F1D73D2C-7160-4076-B0CF-0E79F9C72222}.FSD

MD5 abd87ab771f04724de9247d59deb9428
SHA1 1fb3ff1e9e817449bf558444c1f871b007f84770
SHA256 5d0a6c3da9337938c2ea1064c43fd1d1e1602acf8b15248d2a84edd6e464773a
SHA512 7fc431b78cba0f13a59763b91a9facc510bfb75d4784f7d3f4e4a6ab9f3c6515265f257b7dfa4f306ecb40759d45cffcbec5544b47f17361e591c47c594b1ee9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\plugmanzx[1].doc

MD5 00bc84ea46871a6109ea431895212de6
SHA1 a39d7050310f899c6f90a32965fdae7510b7dc6a
SHA256 5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977
SHA512 ee41df4b47e29d6199f51554e975fab2a80ccb8f8a93880b37641cfd263a313a076580a6bd4f1bb497a41ef73092a3363dafe906ab722d0daff352e993afc360

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/1644-95-0x0000000001300000-0x00000000013AA000-memory.dmp

memory/1644-97-0x000000006B310000-0x000000006B9FE000-memory.dmp

memory/1644-98-0x0000000000CE0000-0x0000000000D20000-memory.dmp

memory/1644-103-0x00000000006A0000-0x00000000006BA000-memory.dmp

memory/1644-104-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2024-114-0x0000000071A7D000-0x0000000071A88000-memory.dmp

memory/1644-115-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1644-116-0x0000000004E00000-0x0000000004E72000-memory.dmp

memory/2268-117-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-118-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2268-120-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-119-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-123-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2268-126-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-128-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2268-129-0x000000006B310000-0x000000006B9FE000-memory.dmp

memory/1644-131-0x000000006B310000-0x000000006B9FE000-memory.dmp

memory/2268-130-0x0000000001260000-0x00000000012A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAA43.tmp

MD5 87d51fa1cc254273b019f5828ea7194f
SHA1 692dd452d56c655e4f7a044a4c785bd82d3b2a57
SHA256 1d50bc377216f796fafc72544836c5a2b9d6a51d0bc855c6ecf92b270dbc9f8c
SHA512 477c1396421ccfc12d62a8f1c9744b7e9c695d98b12ea02fbd76a1b9760587a7075e24e512c19fdd305c5933e20bcc22e8d9848f7281a1927bea5a62292cada2

C:\Users\Admin\AppData\Local\Temp\tmpAC47.tmp

MD5 f852c93e083d04e21605d65da8fc6b36
SHA1 cd0ee83b34e18e41a4f7f75c51285a81e502e966
SHA256 fc83a4838c8f389314d453d7803a77d31926592ee8e8c1b8dfca71f8f68518c8
SHA512 bcb3b0767f46c5882d812159fed9475bf0e88e62a986a14761cebb60b7ce2b71f7caca2c3fafaf9d03556c93d6fe37fa8053215618734a5121a84e08bfd6e250

memory/2268-139-0x0000000000630000-0x000000000063A000-memory.dmp

memory/2268-140-0x0000000000640000-0x000000000065E000-memory.dmp

memory/2268-141-0x0000000000660000-0x000000000066A000-memory.dmp

memory/2268-144-0x000000006B310000-0x000000006B9FE000-memory.dmp

memory/2268-146-0x0000000000720000-0x0000000000732000-memory.dmp

memory/2268-147-0x0000000000B40000-0x0000000000B5A000-memory.dmp

memory/2268-148-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

memory/2268-149-0x0000000000BF0000-0x0000000000C02000-memory.dmp

memory/2268-150-0x0000000000C40000-0x0000000000C4E000-memory.dmp

memory/2268-151-0x0000000000D70000-0x0000000000D7C000-memory.dmp

memory/2268-152-0x0000000000EF0000-0x0000000000F04000-memory.dmp

memory/2268-153-0x0000000000F00000-0x0000000000F10000-memory.dmp

memory/2268-154-0x0000000000F10000-0x0000000000F24000-memory.dmp

memory/2268-155-0x0000000000F20000-0x0000000000F2E000-memory.dmp

memory/2268-156-0x0000000004C00000-0x0000000004C2E000-memory.dmp

memory/2268-157-0x0000000001040000-0x0000000001054000-memory.dmp

memory/2268-158-0x0000000001260000-0x00000000012A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 49b0b353923a50ea5be62872d4c38ef0
SHA1 2eddbaebfd4cadd224682e4660ae8b399c4d1db6
SHA256 5724d8bf7c254eda21c715fd6f7f7b6a6eb821658866c1e0b83ab3e0a6f93b32
SHA512 d2cb59a0143f3555624ab11c58779c9444e5b507ae7053ca5710f0eab381a9629f0f69d9ab3d424103fdf66ace53a11e6451ffa22247d1dfe3563ac8c0a12410

memory/2024-183-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2024-184-0x0000000071A7D000-0x0000000071A88000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10-20231020-en

Max time kernel

186s

Max time network

261s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order_Spec_COSMOS ALUMINIUM Α.Ε.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4964-0-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-2-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-1-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-3-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-5-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-4-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-6-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-9-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-10-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-11-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-12-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-13-0x00007FF870F00000-0x00007FF870F10000-memory.dmp

memory/4964-14-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-15-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-16-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-17-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-18-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-19-0x00007FF870F00000-0x00007FF870F10000-memory.dmp

memory/4964-20-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-23-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-25-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-27-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-28-0x00007FF8B2D20000-0x00007FF8B2DCE000-memory.dmp

memory/4964-29-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-30-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-33-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-34-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-37-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4964-226-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-227-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-228-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-302-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-303-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-304-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-305-0x00007FF8B2D20000-0x00007FF8B2DCE000-memory.dmp

memory/4964-307-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-308-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-310-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-309-0x00007FF8B4970000-0x00007FF8B4B4B000-memory.dmp

memory/4964-306-0x00007FF874A00000-0x00007FF874A10000-memory.dmp

memory/4964-311-0x00007FF8B2D20000-0x00007FF8B2DCE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win7-20231020-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 2096 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp

Files

memory/2096-0-0x0000000000080000-0x0000000000152000-memory.dmp

memory/2096-1-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2096-2-0x0000000002070000-0x00000000020B0000-memory.dmp

memory/2096-3-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2096-4-0x0000000000410000-0x0000000000416000-memory.dmp

memory/2096-5-0x0000000000430000-0x000000000043A000-memory.dmp

memory/2096-6-0x0000000005060000-0x00000000050FA000-memory.dmp

memory/2096-7-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2096-8-0x0000000002070000-0x00000000020B0000-memory.dmp

memory/2832-9-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-12-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-11-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-22-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2096-23-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2832-24-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/2832-25-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2832-26-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:40

Platform

win10-20231020-en

Max time kernel

187s

Max time network

263s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4436 set thread context of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:443 api.ipify.org tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 19.112.20.198.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp

Files

memory/4436-0-0x0000000000890000-0x0000000000962000-memory.dmp

memory/4436-1-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/4436-2-0x0000000005850000-0x0000000005D4E000-memory.dmp

memory/4436-3-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/4436-4-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4436-5-0x0000000005300000-0x000000000530A000-memory.dmp

memory/4436-6-0x0000000005530000-0x0000000005540000-memory.dmp

memory/4436-7-0x0000000005570000-0x0000000005576000-memory.dmp

memory/4436-8-0x0000000005800000-0x000000000580A000-memory.dmp

memory/4436-9-0x0000000006E00000-0x0000000006E9A000-memory.dmp

memory/4436-10-0x0000000007000000-0x000000000709C000-memory.dmp

memory/4436-11-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/4436-12-0x0000000005510000-0x0000000005520000-memory.dmp

memory/3784-13-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3784-15-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3784-17-0x0000000005110000-0x0000000005120000-memory.dmp

memory/4436-16-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3784-18-0x00000000050A0000-0x0000000005106000-memory.dmp

memory/3784-19-0x00000000064A0000-0x00000000064F0000-memory.dmp

memory/3784-20-0x0000000073B30000-0x000000007421E000-memory.dmp

memory/3784-21-0x0000000005110000-0x0000000005120000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10v2004-20231127-en

Max time kernel

181s

Max time network

263s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4308 set thread context of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4308 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe
PID 4308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe

"C:\Users\Admin\AppData\Local\Temp\Done\PROMAC_S.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:443 api.ipify.org tcp
US 8.8.8.8:53 77.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 19.112.20.198.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp

Files

memory/4308-0-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4308-1-0x0000000000360000-0x0000000000432000-memory.dmp

memory/4308-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

memory/4308-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/4308-4-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/4308-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/4308-6-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/4308-7-0x0000000005FB0000-0x0000000005FB6000-memory.dmp

memory/4308-8-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

memory/4308-9-0x0000000006010000-0x00000000060AA000-memory.dmp

memory/4308-10-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4308-11-0x00000000068A0000-0x000000000693C000-memory.dmp

memory/4308-12-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/380-13-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROMAC_S.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/380-16-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4308-18-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/380-17-0x0000000005110000-0x0000000005120000-memory.dmp

memory/380-19-0x0000000005120000-0x0000000005186000-memory.dmp

memory/380-20-0x0000000006650000-0x00000000066A0000-memory.dmp

memory/380-21-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/380-22-0x0000000005110000-0x0000000005120000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:39

Platform

win10v2004-20231127-en

Max time kernel

153s

Max time network

269s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2024 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe

"C:\Users\Admin\AppData\Local\Temp\Promac S.A.220172615415415.DOC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 ftp.atelierzolotas.gr udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 19.112.20.198.in-addr.arpa udp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
NL 198.20.112.19:21 ftp.atelierzolotas.gr tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2024-0-0x0000000000570000-0x0000000000642000-memory.dmp

memory/2024-1-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2024-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/2024-3-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/2024-4-0x0000000005200000-0x0000000005210000-memory.dmp

memory/2024-5-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/2024-6-0x0000000005180000-0x0000000005190000-memory.dmp

memory/2024-7-0x00000000051B0000-0x00000000051B6000-memory.dmp

memory/2024-8-0x00000000051D0000-0x00000000051DA000-memory.dmp

memory/2024-9-0x0000000006250000-0x00000000062EA000-memory.dmp

memory/2024-10-0x0000000006A80000-0x0000000006B1C000-memory.dmp

memory/2024-11-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2024-12-0x0000000005200000-0x0000000005210000-memory.dmp

memory/4328-13-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Promac S.A.220172615415415.DOC.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4328-16-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4328-17-0x0000000005A40000-0x0000000005A50000-memory.dmp

memory/2024-18-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4328-19-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/4328-20-0x0000000006DC0000-0x0000000006E10000-memory.dmp

memory/4328-21-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4328-22-0x0000000005A40000-0x0000000005A50000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-11-29 14:34

Reported

2023-11-29 14:40

Platform

win10-20231020-en

Max time kernel

185s

Max time network

269s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3084-0-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-2-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-1-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-4-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-5-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-3-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-7-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-9-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-10-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-11-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-12-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-13-0x00007FFC4A780000-0x00007FFC4A790000-memory.dmp

memory/3084-14-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-15-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-16-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-17-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-18-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-19-0x00007FFC4A780000-0x00007FFC4A790000-memory.dmp

memory/3084-20-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-22-0x00007FFC8D240000-0x00007FFC8D2EE000-memory.dmp

memory/3084-25-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-27-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-23-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-29-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-30-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-31-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-32-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-204-0x0000017E06B30000-0x0000017E06BC1000-memory.dmp

memory/3084-209-0x0000017E06B30000-0x0000017E06BC1000-memory.dmp

memory/3084-210-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-211-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-212-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-213-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-222-0x0000017E06B30000-0x0000017E06BC1000-memory.dmp

memory/3084-293-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-295-0x00007FFC8D240000-0x00007FFC8D2EE000-memory.dmp

memory/3084-297-0x00007FFC8D240000-0x00007FFC8D2EE000-memory.dmp

memory/3084-299-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-300-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-302-0x0000017E06B30000-0x0000017E06BC1000-memory.dmp

memory/3084-301-0x00007FFC8D5D0000-0x00007FFC8D7AB000-memory.dmp

memory/3084-298-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-296-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-294-0x00007FFC4D660000-0x00007FFC4D670000-memory.dmp

memory/3084-303-0x00007FFC8D240000-0x00007FFC8D2EE000-memory.dmp