Malware Analysis Report

2024-08-06 11:03

Sample ID 240112-m584bafdh3
Target 6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718.7zip
SHA256 6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718
Tags
cobaltstrike 100000000 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718

Threat Level: Known bad

The file 6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718.7zip was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 100000000 backdoor trojan

Cobaltstrike

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-01-12 11:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 11:04

Reported

2024-01-12 11:06

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\China's_gray-zone_warfare_against_Taiwan.doc.lnk

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1384 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1384 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1068 wrote to memory of 1120 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1068 wrote to memory of 1120 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1068 wrote to memory of 1120 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1120 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 2624 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2624 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2624 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2624 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2624 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2624 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2624 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2624 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2624 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2624 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2624 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2624 wrote to memory of 3044 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 3044 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\China's_gray-zone_warfare_against_Taiwan.doc.lnk

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" __MACOS\_params.cat.js

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\findstr.exe

findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

\??\c:\windows\system32\certutil.exe

c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\expand.exe

expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc"

Network

Country Destination Domain Proto
US 8.8.8.8:53 upserver.updateservice.store udp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 104.21.23.225:443 upserver.updateservice.store tcp

Files

C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

MD5 a8aaf88058de4898468d774bcc39cf47
SHA1 ee28eadfae02def1213b56d87633b3689cebca94
SHA256 c99b999b271f193fcd66c538634a9306065067df01ebdc5d616bacc305414008
SHA512 1c1df33638a23eab90fb80464ccc8b04bc5f87304135b24f1f7beafe2a6c1fa0690e26d85f3de11ce15839b12996372f774391a80e9b4b4dea9ab03c83794afc

C:\Users\Admin\AppData\Roaming\sxytyM.tmp

MD5 765d4ef1bab0cc59a1220cf4e1ac29a2
SHA1 2e5f36f9f021d9035c7cbea8f4af3251cecec9b9
SHA256 1f6ae807830f62066f4a82963eb8d4166b1ae6563104e9c437e703f1c2821636
SHA512 af9fc46f799507e482dba8cc70b128b8b50f41400416a80da5684f8740aa75a73d2096c91f692bef71946a5be97104938d983d4873f8c5e2a137a18245813a2e

\??\c:\users\admin\appdata\roaming\sfnlzw.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3044-83-0x0000000070D4D000-0x0000000070D58000-memory.dmp

memory/3044-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3044-77-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

memory/2536-103-0x00000000005F0000-0x0000000000678000-memory.dmp

memory/2536-102-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/2536-104-0x00000000005F0000-0x0000000000678000-memory.dmp

memory/3044-114-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 11:04

Reported

2024-01-12 11:06

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\China's_gray-zone_warfare_against_Taiwan.doc.lnk

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 2472 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\explorer.exe
PID 1772 wrote to memory of 4436 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1772 wrote to memory of 4436 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 4436 wrote to memory of 2356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4436 wrote to memory of 2356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2356 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2356 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2356 wrote to memory of 1480 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2356 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2356 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2356 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2356 wrote to memory of 1328 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2356 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2356 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2356 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\China's_gray-zone_warfare_against_Taiwan.doc.lnk

C:\Windows\explorer.exe

"C:\Windows\explorer.exe" __MACOS\_params.cat.js

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\findstr.exe

findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

\??\c:\windows\system32\certutil.exe

c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\expand.exe

expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc" /o ""

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Users\Admin\AppData\Roaming\360se.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 upserver.updateservice.store udp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 8.8.8.8:53 225.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 104.21.23.225:443 upserver.updateservice.store tcp

Files

C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

MD5 d214bd09651a5f905ffaf546d3c019a8
SHA1 d3c8e3695dd84610712b0ae1c1b92814b0c2129c
SHA256 cb9527e7f2ad74f4d5e737a19f59e6d01bc1c618e533f0512b0f47e253413e97
SHA512 abb18fa4584f7e5ef29e43558f158ca86ee5d726bc5646f0d0e15f915c993e91689b2ad82949c3b5d1be59c3588104411a0ed9fc1211720cdfa83a92b64ffd19

\??\c:\users\admin\appdata\roaming\sfnlzw.tmp

MD5 4ce61692705f938e7a41556dbf37872c
SHA1 6b66a2729c3444d44bfd82ac76eb0a46eea7638e
SHA256 f32415fab8cc5ce811088b85475d0691815e6ac3ff9a65c1f6a134fa25f05b4f
SHA512 5fb5416b8c1ea4194f3f26883b626d52450676de905d14dd1ee7b76014c3edcaa183b0cb8e7dee6520daf50d0ac180399daaad6c2429daa26a54b6289412b037

C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc

MD5 16578aeab36f8c8f72d1a858ec21fd9c
SHA1 78f2d46da970d00033a483d0098ba9e106694321
SHA256 156eec85df18e7ff992a5bf35c97938557ac506c2306a8cb6633602d8a6568ed
SHA512 7e5171f365ea40e095dc6431a7598baeca21b46a52ca53a56e8124c4b41b6f3fd6f8f2afc0cf4db6b30da5a71e72a3451c53074681ed0cc5893db4fbf8f6a6e9

memory/1328-18-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-19-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-20-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-21-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-22-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-23-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-24-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-25-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

C:\Users\Admin\AppData\Roaming\360se.exe

MD5 f44d91b5ada6238eb2d6e619163cc62a
SHA1 66ef3d305e393c9b4f6bae7f418d4f7fb537ce4d
SHA256 2c9193641261c691300cff1d18f149126036da623b475dfc36fde27fca102b91
SHA512 edea071c90ec67b47ecee3b9913bab4f31bab2f36a4e397a0df801e4034306a77806bf0cb3cfeb1ba5b4272e737eba7ddfcdaf29bf749d0bfdf10cf0c8a329f1

memory/1328-28-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-29-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-30-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

C:\Users\Admin\AppData\Roaming\chrome_elf.dll

MD5 4f265905d3adad5c9e0d0aa250849404
SHA1 c147c8646a34ae54e4bdbfaffdf44848b78c209f
SHA256 fb6b0ff2da14b6447b21f0fc4ae73724667c8f6d296d707f18a28633b4e59ed0
SHA512 adddbcf8e5b9bc64fe6663911854d37f8dd586cef2dac8749c14faa554e74943021fa340624f49cf8854f70eb159faa9a12570d04d1ffe9686a1abebc8909398

memory/2256-33-0x00000000014E0000-0x0000000001514000-memory.dmp

memory/2256-34-0x0000000001660000-0x00000000016E8000-memory.dmp

memory/1328-35-0x00007FF89E900000-0x00007FF89E910000-memory.dmp

memory/1328-36-0x00007FF89E900000-0x00007FF89E910000-memory.dmp

memory/2256-38-0x0000000001660000-0x00000000016E8000-memory.dmp

memory/1328-58-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 9f99ce656295700be4b7fbbd24410034
SHA1 68f378a501f375b1dccb3ab26ec1e940e2355796
SHA256 dde6f766d8e8123b83d971c65dacbb02d019ca1c3a416309b8cc827031ce1e97
SHA512 c80e9cf2a368eeb4ecafd9f19c8c411afb87a036550681a2b22ee7a33542455f587ae9c7fd6d2a34cba341eb0de25255126599c23bd1abcf18b3a8ca65adbcd0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 87c76c0b82a0b32968f996a89f3be87b
SHA1 0e55d1d8f8adf3178b9c4b963532db11fee466bd
SHA256 8fb5ca421c484c30805dacba38fcf61ea8ccfbe904a3a6bcb599459064b3e031
SHA512 3979e9120374133c03d639ca997902a6fd240c2b7d1839bdfd3cb2a47855cda3b0ba056be671b765300732a64d992de542bdb465da2e00d25b445757eea7014b

memory/1328-96-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-97-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-98-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-99-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

memory/1328-100-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-101-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-103-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

memory/1328-102-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-12 11:04

Reported

2024-01-12 11:06

Platform

win7-20231215-en

Max time kernel

144s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2796 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 2796 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 2796 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2796 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2796 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2796 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2796 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2796 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 2796 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2796 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2796 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2796 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2796 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2796 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2796 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2796 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 2732 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2732 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2732 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2732 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\findstr.exe

findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

\??\c:\windows\system32\certutil.exe

c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\expand.exe

expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 upserver.updateservice.store udp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 104.21.23.225:443 upserver.updateservice.store tcp
US 104.21.23.225:443 upserver.updateservice.store tcp

Files

C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

MD5 3a5d8b6cd9ed9eaaf2a4eca6ececf614
SHA1 f2405f13c88ee9c734fa35f776427923c8cfc90e
SHA256 4702d44f416fea9a92e9f299f7ec30c56524ae3281dbb3c5abd723ec6cbc075d
SHA512 23fc2d78c4c1bbdad6194a8132f5dfe184db5a4a0a2b9b2ec5bd3193dc5414ac2db6a5156dfb80377477588c7797f1cdda25d29c20c017523a6387e3bccfa65d

C:\Users\Admin\AppData\Roaming\sxytyM.tmp

MD5 0c1585a525705f9f103c88726d13c210
SHA1 3ed0e06658dfd522fa49dccbf6b6decae435ff76
SHA256 751ae2969d8d26f75ac67ae577418140a6d2c0830134b53e87ef3b5367673abc
SHA512 392f6379e237aa420640fceeea18a78a78766fa03574cf2f6c6421a16149edb618431c9a85e0a09672911e2a3e27d3b02d84bb828fb70a5f3918497a848974c5

\??\c:\users\admin\appdata\roaming\sfnlzw.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2732-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2732-47-0x000000007144D000-0x0000000071458000-memory.dmp

memory/2732-40-0x000000002F281000-0x000000002F282000-memory.dmp

memory/2756-67-0x00000000002E0000-0x0000000000368000-memory.dmp

memory/2756-66-0x00000000000F0000-0x0000000000124000-memory.dmp

memory/2756-68-0x00000000002E0000-0x0000000000368000-memory.dmp

memory/2732-78-0x000000007144D000-0x0000000071458000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 dbcea5869bfc256f9220db9a7d04c4e9
SHA1 7d029086ccf3a44bfd3ac955cbaa1dae099d8014
SHA256 8be008a9a9257fe2248ac86ebb566b5ba3c7d85cfc8484f6209a69cb22369e1e
SHA512 639b4d43d92bc46c45d25816f571b916f0021ff8a82cc153d12098ac646e78b49d424eea0f8db2965e501e7663e1c9ac075d9916579eeabb3084f17ae3b1f82e

memory/2732-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-12 11:04

Reported

2024-01-12 11:06

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\360se.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\system32\expand.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\system32\expand.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1632 N/A N/A C:\Windows\System32\cmd.exe
PID 2820 wrote to memory of 1632 N/A N/A C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1632 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1632 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 1632 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe \??\c:\windows\system32\certutil.exe
PID 1632 wrote to memory of 4092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 1632 wrote to memory of 4092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\expand.exe
PID 1632 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1632 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1632 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 1632 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe
PID 1632 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\360se.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Windows\system32\findstr.exe

findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

\??\c:\windows\system32\certutil.exe

c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc" /o ""

C:\Windows\system32\expand.exe

expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\

C:\Users\Admin\AppData\Roaming\360se.exe

C:\Users\Admin\AppData\Roaming\360se.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 upserver.updateservice.store udp
US 172.67.213.250:443 upserver.updateservice.store tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 250.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 138.91.171.81:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 172.67.213.250:443 upserver.updateservice.store tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.135.88:80 tcp
GB 88.221.135.88:80 tcp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 88.221.134.18:80 tcp
GB 23.44.234.16:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 172.67.213.250:443 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 92.123.140.25:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 87.248.205.0:80 tcp
N/A 87.248.205.0:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp

Files

C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp

MD5 a8aaf88058de4898468d774bcc39cf47
SHA1 ee28eadfae02def1213b56d87633b3689cebca94
SHA256 c99b999b271f193fcd66c538634a9306065067df01ebdc5d616bacc305414008
SHA512 1c1df33638a23eab90fb80464ccc8b04bc5f87304135b24f1f7beafe2a6c1fa0690e26d85f3de11ce15839b12996372f774391a80e9b4b4dea9ab03c83794afc

C:\Users\Admin\AppData\Roaming\sxytyM.tmp

MD5 3e7df42efc760f0eb36f166dfd421ff7
SHA1 fa7e5a9b294a2e6cae611d68443ba067a377bc28
SHA256 ea15c7cfbb0ecffc7db9896ffab3df6a1128887076c6a389cb34c6983ec0c3ff
SHA512 b6673c282fa92c3cf961ccf2eb5bdf170c6ea14a538c5f652cf3a3deb6926d443af0e31e8f79d388fe93e61d652c73884ec98b404abca0c96819412a3e6a25ce

\??\c:\users\admin\appdata\roaming\sfnlzw.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2064-27-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-30-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-32-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-34-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-36-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-39-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-42-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-44-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-43-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-41-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-40-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-38-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

memory/2064-37-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-35-0x00007FF8D21F0000-0x00007FF8D2200000-memory.dmp

memory/2064-33-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-31-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-29-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-28-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-26-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-25-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-24-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-21-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-20-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/3048-57-0x0000000000EE0000-0x0000000000F68000-memory.dmp

memory/3048-56-0x0000000000D40000-0x0000000000D74000-memory.dmp

memory/3048-64-0x0000000000EE0000-0x0000000000F68000-memory.dmp

memory/2064-87-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-88-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-89-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-110-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-113-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-114-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-112-0x00007FF9142B0000-0x00007FF9144A5000-memory.dmp

memory/2064-111-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-109-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp

memory/2064-108-0x00007FF8D4330000-0x00007FF8D4340000-memory.dmp