Malware Analysis Report

2025-08-05 21:12

Sample ID 240410-lzbeesee7z
Target 221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292
SHA256 221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292
Tags
macro
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292

Threat Level: Likely malicious

The file 221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292 was found to be: Likely malicious.

Malicious Activity Summary

macro

Suspicious Office macro

Drops startup file

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 09:57

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 09:57

Reported

2024-04-10 10:00

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnsSystem.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{6D6B3925-D6AD-463F-875A-90A899F75505}\2.0\ = "Microsoft Forms 2.0 Object Library" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D6B3925-D6AD-463F-875A-90A899F75505}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{6D6B3925-D6AD-463F-875A-90A899F75505}\2.0\0\win32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{6D6B3925-D6AD-463F-875A-90A899F75505}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1684-0-0x000000002F9F1000-0x000000002F9F2000-memory.dmp

memory/1684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1684-2-0x000000007178D000-0x0000000071798000-memory.dmp

memory/1684-11-0x0000000005900000-0x0000000005A00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD66CF18.wmf

MD5 f83a88b2b0e12b7ac85be9f154acdc30
SHA1 07a2105bd8ec45ac21e0a73316309d6a72964a18
SHA256 79ce6d4c85c2ca55fee05bbe55fdd2b891976745d67b6a1c09cc9a28c6cfe736
SHA512 9af159616acd290532669cea4a91dd6f2939e518072d6a3eedcd9becbd234e9e210ca03c4b0005b62aef406a60eb4f88f01b864c53c950fcb4f6313cc92be4ed

memory/1684-18-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-19-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-21-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-20-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-28-0x000000007178D000-0x0000000071798000-memory.dmp

memory/1684-29-0x0000000005900000-0x0000000005A00000-memory.dmp

memory/1684-30-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-31-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-34-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1684-35-0x0000000005140000-0x0000000005240000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1555846B.jpeg

MD5 b391a3e7c08c8c9cedb5f437e122b859
SHA1 094623500ca4be05995617924c4dbc097847d1ac
SHA256 c610b8ae528c38bd52e328c4ec644efe27a630318b0858a0ebdb3828a0dad5cf
SHA512 22c98f9658cf6d675f86f110eca237bc4999891e6401b32b020884847cda88eed75310d7d36a1c6aff41f014c57e85564b23f024fc28886118639946aa257350

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 aaf47ed91c021351f8eda1e94c96bcde
SHA1 d468697e09d5a068e708c172f0981d3a27524cec
SHA256 aa21710033438dff70b23cd0472976d17d18a5656e0ad1f900246fd4339e55c0
SHA512 2491475260a738ef360cca654945b337ba8b378605fc815d72ea91c618e293d7c77ab002d8027f79bb195118fa065ad7bfc907a931efce5be7606861563da067

memory/1684-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 09:57

Reported

2024-04-10 10:00

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm" /o ""

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnsSystem.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3836 wrote to memory of 4504 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 3836 wrote to memory of 4504 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/3836-0-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-2-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-1-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-3-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-5-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-6-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-4-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-7-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-8-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-9-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-10-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-11-0x00007FFE78450000-0x00007FFE78460000-memory.dmp

memory/3836-12-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-14-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-13-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-15-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-17-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-16-0x00007FFE78450000-0x00007FFE78460000-memory.dmp

memory/3836-18-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-19-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-20-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-21-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-36-0x0000028D456A0000-0x0000028D458A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3FA85365.wmf

MD5 deca94d89bf2303c9e3d30040dae4eb8
SHA1 415c089df3c47331353038c4cb03e3098144e70c
SHA256 e949fc641179a3948b94e400258af1ebc0c5189b0e5805d5f55bd10878b819e6
SHA512 c2f4a3ac7c150cda1ac8ee41749ba1fdfdb7f43b6be2d3deb66be149346baf917135d5e8ddbb4dcad41fb100de5de43f8eb42d3aad48b5d7b2a49db70d9222a5

memory/3836-48-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-49-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-50-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-51-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-60-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-61-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-62-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-63-0x0000028D456A0000-0x0000028D458A0000-memory.dmp

memory/3836-64-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-65-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-66-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-75-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-80-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6C342337.jpeg

MD5 cb4110236f9f987fa62689ba7952f910
SHA1 4e62a90dab1e5ba7dd58b7b3f3787e9d3c6e5aa7
SHA256 7fbec994354ee45d7dcb11dee54a5ad70d05ae97a4deb231a7bfb70e429fb7a9
SHA512 16bef9bc03fb33b32df89dbe81c129cc2d6e83d90b3615f23522395b563927f31a53b8c8b2e8380edaf6da0b9bf7b4d91a2cda8b5c8a2504d5c2ca968b13a21a

memory/3836-92-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-93-0x0000028D446D0000-0x0000028D456A0000-memory.dmp

memory/3836-111-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-112-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-113-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp

memory/3836-114-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-117-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-116-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-118-0x00007FFEBA9B0000-0x00007FFEBABA5000-memory.dmp

memory/3836-115-0x00007FFE7AA30000-0x00007FFE7AA40000-memory.dmp