Malware Analysis Report

2024-10-23 22:21

Sample ID 240507-jhy32sfb6t
Target Order4500318042.xls
SHA256 c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a
Tags
formbook ht3d rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4266d2a1d05270a41a4959ab0143f13655790c4c9fc189088b46302a367567a

Threat Level: Known bad

The file Order4500318042.xls was found to be: Known bad.

Malicious Activity Summary

formbook ht3d rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Launches Equation Editor

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 07:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 07:40

Reported

2024-05-07 07:43

Platform

win7-20231129-en

Max time kernel

149s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2988 set thread context of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2540 set thread context of 1260 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Windows\Explorer.EXE
PID 2668 set thread context of 1260 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\Explorer.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\chkdsk.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Windows\SysWOW64\chkdsk.exe N/A
N/A N/A C:\Windows\SysWOW64\chkdsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\chkdsk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 1636 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 1636 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 1636 wrote to memory of 2988 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 2820 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2820 wrote to memory of 2420 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2988 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 1260 wrote to memory of 2668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1260 wrote to memory of 2668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1260 wrote to memory of 2668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1260 wrote to memory of 2668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 2668 wrote to memory of 2856 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2856 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2856 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2856 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Windows\SysWOW64\chkdsk.exe

"C:\Windows\SysWOW64\chkdsk.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\html.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sorty.cc udp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:443 sorty.cc tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.21.81.30:80 x2.c.lencr.org tcp
US 192.3.179.142:80 192.3.179.142 tcp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:443 sorty.cc tcp
US 172.67.166.48:443 sorty.cc tcp
US 192.3.179.142:80 192.3.179.142 tcp
US 192.3.179.142:80 192.3.179.142 tcp
US 8.8.8.8:53 www.whitecoatprivilege.com udp
US 3.33.130.190:80 www.whitecoatprivilege.com tcp
US 8.8.8.8:53 www.aaditt.com udp
US 3.33.130.190:80 www.aaditt.com tcp
US 8.8.8.8:53 www.52iwin.com udp
US 199.59.243.225:80 www.52iwin.com tcp
US 8.8.8.8:53 www.isboston.net udp
DE 3.64.163.50:80 www.isboston.net tcp
US 8.8.8.8:53 www.1788777.com udp
US 192.161.82.59:80 www.1788777.com tcp

Files

memory/1908-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1908-1-0x0000000071D4D000-0x0000000071D58000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar16D1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2a05c01414bc71534b5946c428b383be
SHA1 2d80f028c873aea25c00c5223383a8b3006995a1
SHA256 8e50e74d018f4bb689588365e55175af742fd7447ee5890591f134d8391c3e3a
SHA512 e8e77e6a0b37b87f8b9416dfe3080a06b440ca4a5398c6203990a30a6a1f3ded10930e53c424d0c10fc047734d27f13e808de2b08da0d0e18cff15889fb566b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76e0de3ea725b6a55b3f5955dba56e4b
SHA1 d1b55c52afdfe15d0c11482692ed3d3a41596030
SHA256 6f1fa083ff081b039848c090883f7d909c83372e734c59251ba142de75adbb24
SHA512 311602e273ec6e80f6b774a80c679991f9a7739e9616e8e201d9d866046526396b735fc76a044a897dd1f0c2e1dfc13efbfaeafe15b331eb795066f2390343d3

memory/2820-110-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

memory/2820-112-0x0000000071D4D000-0x0000000071D58000-memory.dmp

memory/1908-115-0x00000000024F0000-0x00000000024F2000-memory.dmp

memory/2820-114-0x0000000003610000-0x0000000003612000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EQ94T9H3.txt

MD5 eb4acdb99428f60a5ab235ba7f2dabb8
SHA1 2581b4882dd12e31f883e61f23effd934557f336
SHA256 6cecc67f413e145f82577b6b82a828202d880010ee1a10b3fb85b2978d9fe956
SHA512 46dfb190d3d0154620687dace7736c6701480c1a75b442ae0c37cbac233976f9afeb29d9627516d7a29876c0868c7ce3e2ad28653bf1a6fb8866f1cd42e95236

C:\Users\Admin\AppData\Local\Temp\{24AA23B1-EA25-4DD9-88B7-7FBADEF6636D}

MD5 064121ac7f1ced40bdc12ce8b3becb98
SHA1 92ad07a09b406ef0172c113fc8fc61e231666cdd
SHA256 0e81fac49148755898e00714ba8d4c489607a81a2d2978deb59460a71cf741bf
SHA512 c5790a122393f166669a50d41088c9f4d5b2ef0be3186d37039fe1f18926ec674ddfd061dc32e45d19e197359121d4b717f6adb328151d6bace523639478c21a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{37E9D860-2852-4C68-B67D-D974F4E1D82D}.FSD

MD5 a3f726cf239a87baed925a0bcba0a35a
SHA1 c02b903214097dbcd0272e90fd853381b7a21856
SHA256 fa547f2d12ef25eb2286743c3a7345d6e752e64e1421e76795b9db50610a3fa2
SHA512 e376a58fde10cfd4f03e35643ed1b5f2fadda7fc4f12c566944f436bb11b9dd2b9d7eb99fb5814b91a686655dd9e8661deb956331d19be52d5e9b5aeec01eee3

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 2098b30f165478f7083d8bd73f75c5f4
SHA1 def66b95072d3f7f28bfde58efac901f7f280212
SHA256 79ea74483501ab43cc268837443775da213cd709fb49e3dae9f779753d78c8c7
SHA512 36cfd00a665ebd9a490db552ce2e46269bda3be3c969efd3b1f9a9d1c25d2ece0bad28101bb543d7a6fa041c16f032ff7545ad706d837286be48d1b12a66c034

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 fb29a9df04088ee3cf11d142b3c1c4d2
SHA1 5afda4c8458820b550180243d4b314b40d15e28c
SHA256 428e9cfaa1b94fcc9f52ce645c61617e5a9cb559e7302ec9cd8016a521e1de8d
SHA512 cbfff5897c20a6a057084355282fe315881b24922635f89db69fb6767cbcf16479c5dac4ab145b485343d81ae667996d3a611c19666160e74909f9227c7deb1a

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3CDA3D5C-B43A-478F-9727-499E84230D46}.FSD

MD5 ed210c74b005356bdd898e1232b0902e
SHA1 16c4b85773282a13d7a02994bc467303c60ba7b6
SHA256 20df3493023d7938cc40448c4a0a42713539514dd3e929b7b4bbd72c37309d75
SHA512 55f2a585a55d19dae089a2e4c810945eef4132998598e4b15ece973c984439fa0fb38080ec7d2d1df3f0e3607780471d251b31a0599e3fff801099b5288c7b65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 432e5e1b0b0ff9830c353957cf043243
SHA1 19035214e95249f666154954ebda6df4863b47cb
SHA256 586357a014d3f4b4cab59b16bae6878cc8d2e7a1922e11a73cc7c9bdb0f4a6a0
SHA512 d1be53229cec31dfbf4696a33f9fad4dacfa0801abbc8ef2a07497326d480ab9cdb5f7938749e42a3a40c23b7a8b920929b839c96c809ce98e3379c2c1f9cb4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BEAUBQH5\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc

MD5 1aa76ce00f01882d5cd3d712b8052bc2
SHA1 b0cb1b9a8ada2812a013469ff5cf736b0f8da933
SHA256 9ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
SHA512 ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5ae8478af8dd6eec7ad4edf162dd3df1
SHA1 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256 fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512 a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

MD5 c33946a195628684ca42d8f21ad7e48d
SHA1 4a7a3a761bc68370a56c598f8114cfc4d36cdc82
SHA256 359e108184810e910511bd51ea6d0e9bbfad2d13358f86a6fe1b269c2c5a87a5
SHA512 75766dd5416edc91b797ddb1ef010f2cf41a59fe6674503bb7a54f399081ad30d852f400093672c81d3ab1e63c83ab3e261a6b95550cee07b19de469a0a52c60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 01393e3a5065febc53d08bf9f2f6d8bd
SHA1 16a598640c1229ffc376baf4d23af537af68d47a
SHA256 b3ce38100a47ef0bf745749bb96bbe442e7e5d04ad3858f0d37ebac3de5ab01c
SHA512 cf3c726d02b52277aabd52008385765830f42c80f5f6802b2613ed3f364bee949d8601c700f17da6a49447967b30991e2dfa7818fc4b29a368ece68e83fb39a6

C:\Users\Admin\AppData\Roaming\html.exe

MD5 cef1565654989742eaffa2cbc59947eb
SHA1 afef46a08dc6a2e1b3c8a9c6b58627677403f7b5
SHA256 f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
SHA512 53b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97

memory/2988-256-0x0000000001260000-0x000000000130A000-memory.dmp

memory/2988-258-0x00000000003F0000-0x000000000040C000-memory.dmp

memory/2988-259-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2988-260-0x0000000000470000-0x0000000000486000-memory.dmp

memory/2988-261-0x0000000004770000-0x00000000047E6000-memory.dmp

memory/2540-263-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2540-267-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2540-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-264-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1260-270-0x0000000000310000-0x0000000000410000-memory.dmp

memory/1908-271-0x0000000071D4D000-0x0000000071D58000-memory.dmp

memory/2668-272-0x00000000004F0000-0x00000000004F7000-memory.dmp

memory/2668-273-0x00000000000C0000-0x00000000000EF000-memory.dmp

memory/2820-274-0x0000000071D4D000-0x0000000071D58000-memory.dmp

memory/1260-277-0x00000000075A0000-0x0000000007702000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 07:40

Reported

2024-05-07 07:43

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

134s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 3300 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 2376 wrote to memory of 3300 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Order4500318042.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 sorty.cc udp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:443 sorty.cc tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.21.81.30:80 x2.c.lencr.org tcp
US 8.8.8.8:53 48.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.81.21.2.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 192.3.179.142:80 192.3.179.142 tcp
US 8.8.8.8:53 142.179.3.192.in-addr.arpa udp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:80 sorty.cc tcp
US 172.67.166.48:443 sorty.cc tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 192.3.179.142:80 192.3.179.142 tcp
US 172.67.166.48:443 sorty.cc tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
GB 23.73.138.122:443 www.bing.com tcp
US 192.3.179.142:80 192.3.179.142 tcp
US 8.8.8.8:53 122.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.17.106.194:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 194.106.17.2.in-addr.arpa udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4720-0-0x00007FFADC3F0000-0x00007FFADC400000-memory.dmp

memory/4720-2-0x00007FFADC3F0000-0x00007FFADC400000-memory.dmp

memory/4720-1-0x00007FFADC3F0000-0x00007FFADC400000-memory.dmp

memory/4720-3-0x00007FFADC3F0000-0x00007FFADC400000-memory.dmp

memory/4720-4-0x00007FFADC3F0000-0x00007FFADC400000-memory.dmp

memory/4720-5-0x00007FFB1C40D000-0x00007FFB1C40E000-memory.dmp

memory/4720-8-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-7-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-9-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-6-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-10-0x00007FFADA0A0000-0x00007FFADA0B0000-memory.dmp

memory/4720-12-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-13-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-16-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-18-0x00007FFADA0A0000-0x00007FFADA0B0000-memory.dmp

memory/4720-17-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-21-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-20-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-19-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-15-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-14-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/4720-11-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-44-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-45-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-46-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-47-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-48-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\888963B1-0CB3-4F8A-A007-579F70DE9014

MD5 d52fa3e5991c8f5d25f61e48a71e38c2
SHA1 a8292ba3f813764ba0cccb6ea4cf6763c39be5cb
SHA256 c55abad67e4ab3cbb7c410eb0303998464bb157edcc8f2a5d4cd694850020271
SHA512 799cf70d87ac1a2a1d654aba4d4eccd797408f4bc733047eadaa625a8deaca9365c780d494765845f439c4ee6eeb3a1c442ad915bb729483ff86257f80929f0e

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 98dc710d6bb878f057397d1b852b7c9c
SHA1 004d0259ac23ed490d77908888ec4b49895fc6a4
SHA256 ee5ab6ce83bbcfe4deb65362e6501c8e6fba19d9262db0af849a74c6eabd5942
SHA512 502858cfec7c854fcb4c17e01d10c5a6aff0faad1d60c13f08673eaf6a3ffb203423c6330ba42dba83dac2922da69ef7c70a967fbda44ef78b7710ee6805f233

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 be48cfcb3428c259afdb89db6bc8196c
SHA1 c2a81f4a1694e8aa8f3418a1e69e56013d8f829a
SHA256 2c8b052488da020c89859c724c74fd7bd56035d696618e3805e509ebdcc2edf4
SHA512 616fd661a8175c9f89bf2a0fbfbe2c4181629712d7d0bb13f5406de1c3bc6129bb52055958467a6c65dcecf91b4a0dea6a789d6d8895ac5c5d551f195578bf37

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LYH0CKVD\dayisagooddaytoheargoodnewfromthegodwholovegodtrulyfromthehearttheyhearinggoodnews__godisgreatforentier[1].doc

MD5 1aa76ce00f01882d5cd3d712b8052bc2
SHA1 b0cb1b9a8ada2812a013469ff5cf736b0f8da933
SHA256 9ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
SHA512 ac7d9b0319aeab38a8bdea8c6094a4a73266d83ea4ee4974619bdc641197e58f1402089a9ab67a679df9920884214cfd5b69a4dcc9d8c3aa0d62165a67dcbdcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5ae8478af8dd6eec7ad4edf162dd3df1
SHA1 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256 fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512 a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

MD5 7bd0e401c05e0c10b6c5ce9374b2a789
SHA1 8b6498b01081cfe68fd014e23a44b096050964d8
SHA256 8d7d2d8d12a412844f729110e52267f5c5de11b8cc09ae519730421d064f3e8a
SHA512 0bb7f666e579125b63541d9c6f346d51090a73406e2b07f6c7daadbb538be1c787ca7151ab1aea14ede0d3d46791b4e83d4a35dab4e29dd6ce6ee6ff3ef04988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 126052b377f8422f1e12481fb87b48ca
SHA1 7f73da5696b684a620e6e183817398f7d7d421d0
SHA256 2279865653d021b61eba6ced5200206298072ff7f4d4c7d026e5baa4a06cd0ce
SHA512 fea5bf000cba73c8bd661dfded2f2bbd9505b4a72c673c2bdd6d04382191c89fc4e63b914b1e61644f7798ee4e799624553a62172b08a7bb84d4f31ae85e5837

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 ba76591ee8087994f80c3bafa2b13027
SHA1 f2902f0a589e6dc46d1270d2514b1e64a6954cc3
SHA256 3216f319c38c6c29691bad4118302477d4273b70d45eba403afd690f2ca163ed
SHA512 b94cf21addda4dd7993aadc2cadb6154e339ac115cc07a58acddcaf0948fe266e0473d509acca2c112bf2c14425a75e08f2203c2f541bdd11eb97d9646efaa94

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 f6c81e504d372bccd188cd15a7353b4b
SHA1 d874fa927abeaa58e3324b5a4c9ce40416eecae7
SHA256 4614f4e25c78dac235a7aabc5cebd5d2337854bafe1118963fcccfc1880cab15
SHA512 88547e84bd5ae719825b0d993e86fdfe101a962d00eb850aa21f94f6eb188ede3133bc3b104a970b357882f9f32f71c5d409ac8b17323c473764fd1fba98f807

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 4ec86d57d2e9cf4f5480a4c11bf6118f
SHA1 e15cbad504c7c59c1159d3072a583e812b6177ec
SHA256 d1d681af0b64fcd22a8737f06ac66253b9050dcb69a4695216be1632be93568a
SHA512 697ddc32840537423f10bcfaadd6251c615d47f1fbecbd4556604fd34b9bbdc3cbd36909c3e5e9efbe2b3bec007aa763705fb02ce4d82e2e8b1c00f8ee6db160

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

MD5 22e99242b3a4c061ca647eef07b00554
SHA1 c4b83579afb9aa0e85da7c1744f874e4531fe59e
SHA256 8118be35f82f39efee0c0a426ec5a525565afa270085a27a96320f4418b99686
SHA512 5536646c0370b5705393f6e3812454476d3303b67ff3cb493368fb0577cd533aac538ac487714660530d06c0f32a275e9676d12a7002bef417c3a3134421398f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 6cb69df799c19666b89b9b1ba651b6b5
SHA1 248637990ae43fba5fbd95c7bd75ab8d955e1466
SHA256 8aa28943abcb62328bde6e2656ece7bd0d9ca446e172dd92664ae6d0a27f148e
SHA512 22fa84e78798784b0ddb667a2a56e68c2f4b22ad95884f41fe4fe63703d0309ccac0e063731b6923fb8bbd037ac5a0cf3800fe03e7b0d068583f8229820086c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 646e0dcc756bdd91bedf3eedf482dfcd
SHA1 6c4503e76771816d0175e246ee70cae987cd301f
SHA256 8d6a50ebd8670d482f5017fc9da375d9639234fe0aa76986e273aca39fd4a213
SHA512 0655d4d67d9eb73b53062e30ebe2bca342929972d0bb35c3c491988f8d72aaac9e7e06e4c7a0c40efc723d752c0d7cf8cf957a5007d62aa0db22c4245f6f5692

C:\Users\Admin\AppData\Local\Temp\TCD92C3.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/4720-577-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp

memory/2376-578-0x00007FFB1C370000-0x00007FFB1C565000-memory.dmp