Malware Analysis Report

2024-07-11 07:28

Sample ID 240313-cpnsbsbh37
Target b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8
SHA256 b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8
Tags
macro macro_on_action upx miner vmprotect pyinstaller xmrig diamondfox nanocore persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8

Threat Level: Known bad

The file b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action upx miner vmprotect pyinstaller xmrig diamondfox nanocore persistence

Adds autorun key to be loaded by Explorer.exe on startup

Diamondfox family

Process spawned unexpected child process

Nanocore family

XMRig Miner payload

DiamondFox stealer

Xmrig family

Suspicious Office macro

Patched UPX-packed file

Blocklisted process makes network request

Drops file in Drivers directory

Office macro that triggers on suspicious action

Executes dropped EXE

Registers new Windows logon scripts automatically executed at logon.

Loads dropped DLL

VMProtect packed file

Checks computer location settings

UPX packed file

Maps connected drives based on registry

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Program crash

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-13 02:16

Signatures

DiamondFox stealer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Diamondfox family

diamondfox

Nanocore family

nanocore

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:20

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 320

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe"

Network

N/A

Files

memory/1812-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1812-1-0x0000000000400000-0x00000000004C9000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DecoyDocument.doc"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DecoyDocument.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2208-0-0x000000002F531000-0x000000002F532000-memory.dmp

memory/2208-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2208-2-0x00000000710BD000-0x00000000710C8000-memory.dmp

memory/2208-11-0x00000000710BD000-0x00000000710C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 ecb9c0b7d6cbf5cb31d64d4518a6746f
SHA1 09d96834f1c81e510eedbdcb21b7d10f3f484b17
SHA256 46f2e6ac69bf9a925b022b8aea0b833d4a141552ea9a8662b7f03febd64fc10a
SHA512 4608ddf95af70512b0d1cd8255327ccc85d4c77e2c3b069be362c09a9ebebf54dfb3a07194ed9f23d4c9bead32a0d9327c3b9287a5f78cd97ad5c0563381bc6a

memory/2208-26-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20231129-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DropperExcelDoc.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\certutil.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DropperExcelDoc.xls"

C:\Windows\SysWOW64\certutil.exe

certutil -decode C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

Network

N/A

Files

memory/2284-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2284-1-0x0000000072CAD000-0x0000000072CB8000-memory.dmp

memory/2284-16-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-18-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-25-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-32-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-46-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-47-0x00000000067E0000-0x00000000068E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt

MD5 1b330a7f7cc348ce408c10b64c79a5e8
SHA1 e82ee9c54b78df69404f3fa75f8a3f703b72cb70
SHA256 4e77c794ccd2cb3a0139ce07f70e170b15bc1e618ac6959797cec889048b5005
SHA512 7a077b90802e020edbd545ed5726f1339052422026d9f3438592c35099ce1b168a8d2d2a6f3845ecb6422f54f388611f53c013ddaec74182ab98b7bd6b35682e

\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

MD5 ba78410702f0cc8453da1afbb2a8b670
SHA1 1083245ac66d4261f526d18d4eac79a7dbd72989
SHA256 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91
SHA512 7433785795c68faa74b2d34b734cf4c4564940fbe21cb9ddd6c0251378455a9ded4595055059d42b73e8cdbfe59f16b4b4d4100fcca94a440bb9520f4572f74b

\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

MD5 50aa8af4f5101a86840229df217aa209
SHA1 bc65547bf9747a0bf434250c61c6a37849f65d35
SHA256 e2accb5ee1d9ca68948e33fcc5a09b1ee7285913c5df5faca59e6c77977a9b6a
SHA512 585a4504b7612672b7e9f07b60efb555d497460f27a7f9277772806e10f06ad762704c3f420f28d3970190d46f6ec16e8a3e4dd3b707abb45cd168f844a1b232

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

MD5 ad397ea731eb14f229ea0431f326303d
SHA1 977dfba3a6b229749a9df76914791687baac6b11
SHA256 327396d328336b5124c5d38de8b8871c58f5bd0bb3ee1ce0188f74fd3dfe73fc
SHA512 eed9a7add8d5ad02d2f8dd131d82b137806a782431c3e8540e02c4099b38a250bfc24f2d20413a6d906a540b0c85abd8f5f50e01a87ee9677cc3f3f0bbb65737

memory/2284-54-0x0000000072CAD000-0x0000000072CB8000-memory.dmp

memory/2284-55-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-56-0x00000000067E0000-0x00000000068E0000-memory.dmp

memory/2284-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2284-64-0x0000000072CAD000-0x0000000072CB8000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:20

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4640-0-0x0000000002500000-0x0000000002501000-memory.dmp

memory/4640-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
GB 96.17.178.176:80 tcp

Files

memory/4620-0-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/4620-1-0x0000000000400000-0x00000000004C9000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win7-20240221-en

Max time kernel

79s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyImplant.exe"

Network

N/A

Files

memory/268-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/268-1-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20231215-en

Max time kernel

101s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysConnect = "{44cbfc09-79e6-46a7-8c56-c3dffb8842b7}" C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winmgmt.dll C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
File created C:\Windows\SysWOW64\sysconnect.dll C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44cbfc09-79e6-46a7-8c56-c3dffb8842b7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44cbfc09-79e6-46a7-8c56-c3dffb8842b7}\InProcServer32\ = "C:\\Windows\\SysWow64\\sysconnect.dll" C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44cbfc09-79e6-46a7-8c56-c3dffb8842b7}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{44cbfc09-79e6-46a7-8c56-c3dffb8842b7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44cbfc09-79e6-46a7-8c56-c3dffb8842b7} C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NATO.doc" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\NATO.doc

MD5 fd34f554ee16947045ef7aecc6d8a6ae
SHA1 8b424ff7bfdb326c73bc0231c9329e4eccc5cb1b
SHA256 e14998cd3efa380d8e042f33e08ca42934e8e04c6f346a2b560830e4ed26ebf2
SHA512 0ddb0594a5412564a6901241aa27dfd3f97e96f3b2154a5daa1874155e9877fc25dd91c18da09d0667b927481b2090278da04b334214749b6b59eb231ff27d50

memory/5068-10-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-11-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-12-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-14-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-13-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-15-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-16-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-17-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-18-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-19-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-20-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-21-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-22-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-23-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-25-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-24-0x00007FFF93F60000-0x00007FFF93F70000-memory.dmp

memory/5068-26-0x00007FFF93F60000-0x00007FFF93F70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/5068-48-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-67-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-68-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-69-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-70-0x00007FFF96010000-0x00007FFF96020000-memory.dmp

memory/5068-71-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

memory/5068-72-0x00007FFFD5F90000-0x00007FFFD6185000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

242s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DecoyDocument.doc" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DecoyDocument.doc" /o ""

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4800-0-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4800-1-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4800-2-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4800-3-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-4-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-5-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4800-6-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-8-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-7-0x00007FFF84CF0000-0x00007FFF84D00000-memory.dmp

memory/4800-9-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-10-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-11-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmp

memory/4800-12-0x00007FFF82AD0000-0x00007FFF82AE0000-memory.dmp

memory/4800-19-0x00007FFF82AD0000-0x00007FFF82AE0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

119s

Max time network

138s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Hospital.docm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Registers new Windows logon scripts automatically executed at logon.

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Environment\UserInitMprLogonScript = "C:\\Users\\Admin\\AppData\\Roaming\\mrset.bat" C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2448 wrote to memory of 2720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2720 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2496 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2496 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2752 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2752 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2752 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2752 wrote to memory of 2492 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Hospital.docm"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\user.dat, #1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\user.dat, #1

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\mrset.bat

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Roaming\mvtband.dat",#1

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
NL 172.217.23.206:443 google.com tcp
US 8.8.8.8:53 mvband.net udp
US 104.155.138.21:443 mvband.net tcp
NL 172.217.23.206:443 google.com tcp
US 104.155.138.21:443 mvband.net tcp

Files

memory/2752-0-0x000000002F241000-0x000000002F242000-memory.dmp

memory/2752-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2752-2-0x0000000070EFD000-0x0000000070F08000-memory.dmp

memory/2752-5-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-6-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-7-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-11-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-10-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-9-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-8-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-12-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-13-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-15-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-14-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-17-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-18-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-20-0x0000000000400000-0x0000000000500000-memory.dmp

memory/2752-19-0x0000000000400000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\user.dat

MD5 b1d1a2c64474d2f6e7a5db71ccbafa31
SHA1 91d8e6f993e8b294924811df052e96cbec0545ad
SHA256 58b223f74992f371cab8f1df7c03b9b66f2ea9e3c9e22122898a9be62a05c0b4
SHA512 7f3a458083159e51e505074c46fa18a744bed43a21efca957a0bd60a8c8347597025dedf500b73c4cb5f5a107fb8975cb52b453deddf9fc69e46f8d417004b44

C:\Users\Admin\AppData\Roaming\mrset.bat

MD5 583ea25b69feded9f65cfbff169147a9
SHA1 56e6487b283f2718483fe8823f70e36ffbce6fb7
SHA256 51eaf3b30c1ea932843cb9f5b6fb41804976d94a53a507ccb292b8392276cfd6
SHA512 adeb0df1f5edf3d1348f048da8760c2f8a9b3b0a8fd87a92ec62fbf0fc83681b928c2bee064a0b731bc4842c5d34f9e00e00303c4de4a56c9027e127d30260f5

C:\Users\Admin\AppData\Roaming\mvtband.dat

MD5 1421419d1be31f1f9ea60e8ed87277db
SHA1 f9fd3f1d8da4ffd6a494228b934549d09e3c59d1
SHA256 8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57
SHA512 a6825107c5e60231dcf631e702c3b75422bad8644ac69df21aa9e9437758850f31d84fe95a4e0386235b3b7103bbcc8945365f4d804cbb16e161c5577680a072

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2752-51-0x0000000070EFD000-0x0000000070F08000-memory.dmp

memory/2752-52-0x0000000000400000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 5e44e9e13a92df5d7e3853061fe71767
SHA1 8ad13ba623a0c79fe3a87767e1a093337467ac2d
SHA256 f7b9bf7cc0355c7e1781a3e3f36c884121e06e03aa91bb72b0feaf54b32c0dc3
SHA512 0ffff2feda446ea0126b8e9fd33579b8c2ad599afa9e4d5a650148d23a2a5f2f947ac85be602bb15f9dbd183d9149ed882acbc63a2149edf2a8bf56aa9c68248

memory/2752-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2752-74-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28wmsApplication.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

242s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\RwDrv.sys C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.250.179.202:443 chromewebstore.googleapis.com tcp
NL 142.250.179.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.179.250.142.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DropperExcelDoc.xls"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\certutil.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28DropperExcelDoc.xls"

C:\Windows\SYSTEM32\certutil.exe

certutil -decode C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4752-0-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-3-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-5-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-4-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-2-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-7-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-8-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-9-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-10-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-6-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-1-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-12-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-13-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-11-0x00007FF968F30000-0x00007FF968F40000-memory.dmp

memory/4752-14-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-15-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-16-0x00007FF968F30000-0x00007FF968F40000-memory.dmp

memory/4752-17-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-18-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-19-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-21-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-22-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-20-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-23-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-29-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-30-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-33-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-38-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\T1U3H6N7.txt

MD5 1b330a7f7cc348ce408c10b64c79a5e8
SHA1 e82ee9c54b78df69404f3fa75f8a3f703b72cb70
SHA256 4e77c794ccd2cb3a0139ce07f70e170b15bc1e618ac6959797cec889048b5005
SHA512 7a077b90802e020edbd545ed5726f1339052422026d9f3438592c35099ce1b168a8d2d2a6f3845ecb6422f54f388611f53c013ddaec74182ab98b7bd6b35682e

memory/4752-41-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-42-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\Z4U8K1S8.exe

MD5 ba78410702f0cc8453da1afbb2a8b670
SHA1 1083245ac66d4261f526d18d4eac79a7dbd72989
SHA256 9f9e74241d59eccfe7040bfdcbbceacb374eda397cc53a4197b59e4f6f380a91
SHA512 7433785795c68faa74b2d34b734cf4c4564940fbe21cb9ddd6c0251378455a9ded4595055059d42b73e8cdbfe59f16b4b4d4100fcca94a440bb9520f4572f74b

memory/4752-55-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-56-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-59-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-60-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-61-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-62-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-63-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-64-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-65-0x0000025C53AF0000-0x0000025C542F0000-memory.dmp

memory/4752-86-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-89-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-91-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-90-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-88-0x00007FF9AB1D0000-0x00007FF9AB3C5000-memory.dmp

memory/4752-87-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

memory/4752-85-0x00007FF96B250000-0x00007FF96B260000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

168s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Hospital.docm" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Registers new Windows logon scripts automatically executed at logon.

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Environment\UserInitMprLogonScript = "C:\\Users\\Admin\\AppData\\Roaming\\mrset.bat" C:\Windows\SysWOW64\rundll32.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1996 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 4180 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4180 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Hospital.docm" /o ""

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\user.dat, #1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\user.dat, #1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\mrset.bat

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Roaming\mvtband.dat",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
NL 172.217.23.206:443 google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 mvband.net udp
US 104.155.138.21:443 mvband.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
NL 172.217.23.206:443 google.com tcp
US 104.155.138.21:443 mvband.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

memory/3888-0-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-1-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-2-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-3-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-4-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-5-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-6-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-8-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-9-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-7-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-10-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-11-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-12-0x00007FFDC2C70000-0x00007FFDC2C80000-memory.dmp

memory/3888-13-0x00007FFDC2C70000-0x00007FFDC2C80000-memory.dmp

memory/3888-26-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-37-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-44-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-50-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\user.dat

MD5 b1d1a2c64474d2f6e7a5db71ccbafa31
SHA1 91d8e6f993e8b294924811df052e96cbec0545ad
SHA256 58b223f74992f371cab8f1df7c03b9b66f2ea9e3c9e22122898a9be62a05c0b4
SHA512 7f3a458083159e51e505074c46fa18a744bed43a21efca957a0bd60a8c8347597025dedf500b73c4cb5f5a107fb8975cb52b453deddf9fc69e46f8d417004b44

memory/3888-55-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrset.bat

MD5 583ea25b69feded9f65cfbff169147a9
SHA1 56e6487b283f2718483fe8823f70e36ffbce6fb7
SHA256 51eaf3b30c1ea932843cb9f5b6fb41804976d94a53a507ccb292b8392276cfd6
SHA512 adeb0df1f5edf3d1348f048da8760c2f8a9b3b0a8fd87a92ec62fbf0fc83681b928c2bee064a0b731bc4842c5d34f9e00e00303c4de4a56c9027e127d30260f5

C:\Users\Admin\AppData\Roaming\mvtband.dat

MD5 1421419d1be31f1f9ea60e8ed87277db
SHA1 f9fd3f1d8da4ffd6a494228b934549d09e3c59d1
SHA256 8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57
SHA512 a6825107c5e60231dcf631e702c3b75422bad8644ac69df21aa9e9437758850f31d84fe95a4e0386235b3b7103bbcc8945365f4d804cbb16e161c5577680a072

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3888-75-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-76-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-77-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-78-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-79-0x0000016B59700000-0x0000016B5A6D0000-memory.dmp

memory/3888-103-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-104-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-105-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-106-0x00007FFDC54B0000-0x00007FFDC54C0000-memory.dmp

memory/3888-107-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-108-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

memory/3888-109-0x00007FFE05430000-0x00007FFE05625000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 45.32.129.185:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 45.32.129.185:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5124 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3856-0-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3856-1-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3856-6-0x00000000024C0000-0x00000000024C1000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Xagent64.dll",#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Xagent64.dll",#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
SE 185.86.148.227:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
SE 185.86.148.227:443 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
SE 185.86.148.227:443 tcp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

120s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.dll

MD5 10036063be45f92a9a743425fbf5abc7
SHA1 d70db6a6d660aae58ccfc688a2890391fd873bfb
SHA256 3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6
SHA512 a2fc426489193993e97fe3cedd529f52702c1f0d7a348960cbe5955b173cb8e1b77d117f389afd1db55a8bd33a81a72ceb6088fe5175927921e120f9fea82493

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4972 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4972 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

macos-20240214-en

Max time kernel

149s

Max time network

159s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin]

/bin/zsh

[/bin/zsh -c /Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin]

/Users/run/malware-sample-library-master/APT28

[/Users/run/malware-sample-library-master/APT28 FancyBear/MacOSKomplexFancyBear.bin]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

Network

Country Destination Domain Proto
GB 17.57.146.152:5223 tcp
US 8.8.8.8:53 35-courier.push.apple.com udp
GB 17.57.146.11:5223 35-courier.push.apple.com tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.200.147.24:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.85:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1214.xml

MD5 3beb34e02eb9bd01714f9926b3ebfc96
SHA1 d558e451b1b1ea9f8a7a29449fe1d2985abbd96c
SHA256 032673ebc61db6f46d76d507b19b1b0136a3f7e766a311f38921d2ee7fe450be
SHA512 f882c6dc232cc24367e6a83117a8f358860fe8cc9b5d67fa2255645a43658e1cf72af44fa3708ec03c24a788c78abea2a268214adcfcb52aa7dce207102627ff

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 9606522063bbc09c9d18aeec3750dd22
SHA1 359ffa79b94162ddfcc496694383b4ab4bc1242e
SHA256 f82d045e0f08974a370ae761339a41dbb5bcdd932a5255af0501c0a462fe5101
SHA512 720685603a082206230b958d6f0d23e5fdf6740a5a0f02ff8a0ba6dc80a73d38ed2f4725026dab0bbce66231c712fccbf4a2f143b5147b2fc172813ccdc97248

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20231129-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iboxmit.com udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

137s

Max time network

158s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Xagent64.dll",#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Xagent64.dll",#1

Network

Country Destination Domain Proto
SE 185.86.148.227:443 tcp
SE 185.86.148.227:443 tcp
SE 185.86.148.227:443 tcp
SE 185.86.148.227:443 tcp
SE 185.86.148.227:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240215-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 120

Network

N/A

Files

memory/2388-0-0x0000000000450000-0x0000000000480000-memory.dmp

memory/2388-1-0x0000000000450000-0x0000000000480000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win10v2004-20240226-en

Max time kernel

166s

Max time network

242s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28Implant.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 324

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1768-0-0x00000000003F0000-0x0000000000420000-memory.dmp

memory/1768-1-0x00000000003F0000-0x0000000000420000-memory.dmp

memory/1768-2-0x00000000003F0000-0x0000000000420000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\Backdoor.XTunnel.exe"

Network

Country Destination Domain Proto
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp
US 45.32.129.185:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:20

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\X-AgentTrojan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 iboxmit.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 iboxmit.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 iboxmit.com udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 iboxmit.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

118s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysConnect = "{c9ac7087-2b09-4376-b245-53a8cda14f3c}" C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winmgmt.dll C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
File created C:\Windows\SysWOW64\sysconnect.dll C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{c9ac7087-2b09-4376-b245-53a8cda14f3c}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NATO.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2964-3-0x000000002F6D1000-0x000000002F6D2000-memory.dmp

memory/2964-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2964-5-0x000000007147D000-0x0000000071488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NATO.doc

MD5 fd34f554ee16947045ef7aecc6d8a6ae
SHA1 8b424ff7bfdb326c73bc0231c9329e4eccc5cb1b
SHA256 e14998cd3efa380d8e042f33e08ca42934e8e04c6f346a2b560830e4ed26ebf2
SHA512 0ddb0594a5412564a6901241aa27dfd3f97e96f3b2154a5daa1874155e9877fc25dd91c18da09d0667b927481b2090278da04b334214749b6b59eb231ff27d50

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2964-24-0x000000007147D000-0x0000000071488000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e4ac05995064cd0a61d218a4bf366cad
SHA1 4c1a407fcb5a4bff50b6f734d7bf14cb00c52947
SHA256 aad92082b50df4e87dc4e2c2561f9edbf1cdfecfb9dba4acf8644949352231b5
SHA512 bcc6ad75e6433de64ada3c62ec9fe163ef07c131944d337a19e6ec5d5c2562c09acf2659ec641031fc3356803c9100f7242969261585523a6bc23b90c4d3b303

memory/2964-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2964-40-0x000000007147D000-0x0000000071488000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
GB 96.17.178.196:80 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmallAgent.dll

MD5 10036063be45f92a9a743425fbf5abc7
SHA1 d70db6a6d660aae58ccfc688a2890391fd873bfb
SHA256 3f48dbbf86f29e01809550f4272a894ff4b09bd48b0637bd6745db84d2cec2b6
SHA512 a2fc426489193993e97fe3cedd529f52702c1f0d7a348960cbe5955b173cb8e1b77d117f389afd1db55a8bd33a81a72ceb6088fe5175927921e120f9fea82493

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240215-en

Max time kernel

119s

Max time network

130s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxSmall_AgentDLL.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:21

Platform

win7-20240221-en

Max time kernel

12s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\ZekaAPT28.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\ZekaAPT28.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\ZekaAPT28.exe"

Network

N/A

Files

memory/2028-0-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/2028-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2028-2-0x0000000000400000-0x00000000004D4000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

166s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\FancyBearZekapabImplant.exe"

Network

N/A

Files

memory/3036-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3036-1-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3036-3-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-13 02:15

Reported

2024-03-13 02:19

Platform

win7-20240221-en

Max time kernel

122s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\RwDrv.sys C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe

"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\LoJaxInfo_EFI.exe"

Network

N/A

Files

N/A