Overview
overview
10Static
static
10Challenge_...m.docx
windows7-x64
4Challenge_...m.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1Challenge_...y.docx
windows7-x64
4Challenge_...y.docx
windows10-2004-x64
1Challenge_...1.docx
windows7-x64
4Challenge_...1.docx
windows10-2004-x64
1tools/numb...ing.py
ubuntu-18.04-amd64
1tools/numb...ing.py
debian-9-armhf
1tools/numb...ing.py
debian-9-mips
1tools/numb...ing.py
debian-9-mipsel
1decoder_add1.py
ubuntu-18.04-amd64
1decoder_add1.py
debian-9-armhf
1decoder_add1.py
debian-9-mips
1decoder_add1.py
debian-9-mipsel
1decoder_ah.py
ubuntu-18.04-amd64
1decoder_ah.py
debian-9-armhf
1decoder_ah.py
debian-9-mips
1decoder_ah.py
debian-9-mipsel
1decoder_chr.py
ubuntu-18.04-amd64
1decoder_chr.py
debian-9-armhf
1decoder_chr.py
debian-9-mips
1decoder_chr.py
debian-9-mipsel
1decoder_rol1.py
ubuntu-18.04-amd64
1decoder_rol1.py
debian-9-armhf
1decoder_rol1.py
debian-9-mips
1decoder_rol1.py
debian-9-mipsel
1decoder_xor1.py
ubuntu-18.04-amd64
1decoder_xor1.py
debian-9-armhf
1decoder_xor1.py
debian-9-mips
1decoder_xor1.py
debian-9-mipsel
1Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Challenge_FIles/Employee_W2_Form.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Challenge_FIles/Employees_Contact_Audit_Oct_2021.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Challenge_FIles/Work_From_Home_Survey.docx
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Challenge_FIles/income_tax_and_benefit_return_2021.docx
Resource
win10v2004-20240319-en
Behavioral task
behavioral9
Sample
tools/numbers-to-string.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral10
Sample
tools/numbers-to-string.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral11
Sample
tools/numbers-to-string.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral12
Sample
tools/numbers-to-string.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral13
Sample
decoder_add1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral14
Sample
decoder_add1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral15
Sample
decoder_add1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral16
Sample
decoder_add1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral17
Sample
decoder_ah.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral18
Sample
decoder_ah.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral19
Sample
decoder_ah.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral20
Sample
decoder_ah.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral21
Sample
decoder_chr.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
decoder_chr.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral23
Sample
decoder_chr.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral24
Sample
decoder_chr.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral25
Sample
decoder_rol1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral26
Sample
decoder_rol1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral27
Sample
decoder_rol1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral28
Sample
decoder_rol1.py
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral29
Sample
decoder_xor1.py
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral30
Sample
decoder_xor1.py
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral31
Sample
decoder_xor1.py
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral32
Sample
decoder_xor1.py
Resource
debian9-mipsel-20240226-en
General
-
Target
Challenge_FIles/Work_From_Home_Survey.docx
-
Size
26KB
-
MD5
41dacae2a33ee717abcc8011b705f2cb
-
SHA1
4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
-
SHA256
84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69
-
SHA512
11f7177dc3c8a804ff6450477e15aadd20fddac98205008db25a4f6ef69a54b7cb7c9dd0d7bdf1b1d317f306482d86ad5ef150530194de7d8dbe344203962648
-
SSDEEP
768:8HVoVneOa0HD/vb9EVoiJWq8UCei96T8vuX3m86RAFvg5e:8QVvbvb9wnIq8OitP88eY5e
Malware Config
Signatures
-
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\mhtml:http:\trendparlye.com\wiki0509.html!x-usc:http:\trendparlye.com\wiki0509.html WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2192 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 2192 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2192 WINWORD.EXE 2192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2192 wrote to memory of 2020 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 2020 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 2020 2192 WINWORD.EXE splwow64.exe PID 2192 wrote to memory of 2020 2192 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Challenge_FIles\Work_From_Home_Survey.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5269729C-53FA-49A4-B895-5247723DE3B7}.FSDFilesize
128KB
MD531705f10b2fc114df7acda2df38f56bc
SHA11560264f6ef70a75c6917b3e1c87b1afa0adb794
SHA2566dfb6b44012a447bf540bc766a6e3fcfd5fd37590873630b9abb3bcd097b1f4b
SHA51261dcb8f7dbea3a349c932e10b144f46a7925566f4ca6aa8c70adf3160172105ed426da6255bd96633d8a57bb15fd6dc8c73ab6ebf0c5dd82813b091f1339aeb1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5394911f73baa63e2b71ca88de774ce9b
SHA1743c19167b4c22b81f042a9ef4954fcb0bdb4fc8
SHA2560630f694ca85bc48ab1fc7afa23e87d152710e27376ce7669f5ebc928574f36f
SHA5122fd7fe4cdbb8641790cfd6e93fd7acb7ee029b11f7baf8c5dbc99b08c5d7324c32837132204babc0a3693e13517b1f19c37371119a5939190b00fa65f25ddfa3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{38342716-EE14-4FE0-8C10-1CB724FF5125}.FSDFilesize
128KB
MD5aa054ab8ad6e797d52a9064016eba7be
SHA14d708da75b9d1f02935cc03c4b1edd1b17ebcccc
SHA256e40b8b947a0c1140836a17850270d7b7d8a597616bcc09459d876d8129a6a09d
SHA5125bb24e15a5d7420fb46a261e879b1aea60bfc06321be8364f6e3f653907525029c0a50dce729e05a6bea7633ea733f108eac743db596908218647ad19c951dea
-
C:\Users\Admin\AppData\Local\Temp\{68245F98-E1A7-4429-BB61-367C7542DAF1}Filesize
128KB
MD59aa1e52b4f5fc28c14e8bb5f8a13790e
SHA1e1d8334e1cab26aa61433dd9ff71205928e4f7d9
SHA256a475d992f1e00bfdb472eebfc83aeac3d1c17a68b61379e05bdb4120db677fa7
SHA512461afb03750af41d5256fde2081198d8c8b358a2b5d3378386280d534dad9849b5f454dec075acabb382ce29ba1725048d45f82128a23b06c5a4ce4060144890
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d0b279c20e8a89503b704f295e89598d
SHA1f383178f0a38f66dc8e8f01ddda84974c53a48a2
SHA25628a6fd7ca747546a139c69aabbea96026123a88b7aa01c979e0dea2a8542f852
SHA5124457e5ea119c719dc4b46bfd19fb3c54b79e62b20ce75e36bf423998553a4b276cf57afc410e10cda76f68631cc31f127b118666d33b40e4c377946923d251de
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/2192-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmpFilesize
4KB
-
memory/2192-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2192-2-0x000000007125D000-0x0000000071268000-memory.dmpFilesize
44KB
-
memory/2192-77-0x000000007125D000-0x0000000071268000-memory.dmpFilesize
44KB
-
memory/2192-101-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2192-102-0x000000007125D000-0x0000000071268000-memory.dmpFilesize
44KB