Malware Analysis Report

2024-09-09 19:09

Sample ID 240511-exh8xsfe86
Target NetShred_X_6_0_2_TNT.dmg
SHA256 90e0908e94b96102658cf6a5a957799f461373097da26e40c7da459bbb418488
Tags
persistence privilege_escalation evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

90e0908e94b96102658cf6a5a957799f461373097da26e40c7da459bbb418488

Threat Level: Shows suspicious behavior

The file NetShred_X_6_0_2_TNT.dmg was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence privilege_escalation evasion

Login Items

Resource Forking

Drops file in Windows directory

Writes file to tmp directory

Reads runtime system information

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-11 04:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

144s

Max time network

161s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2/NetShred\ X.app"]

Signatures

Login Items

persistence privilege_escalation
Description Indicator Process Target
N/A "/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2/NetShred\ X.app"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2/NetShred\ X.app"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/NetShred\ X\ 6.0.2/NetShred\ X.app]

/bin/zsh

[/bin/zsh -c open /Volumes/NetShred\ X\ 6.0.2/NetShred\ X.app]

/usr/bin/open

[open /Volumes/NetShred X 6.0.2/NetShred X.app]

/usr/libexec/xpcproxy

[xpcproxy com.mireth.netshred.2300]

/Volumes/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X

[/Volumes/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemevents.2156]

/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events

[/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events]

/usr/libexec/xpcproxy

[xpcproxy com.apple.FolderActionsDispatcher]

/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher

[/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher launchd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 151.101.67.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
PL 23.211.84.62:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

87s

Max time network

124s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/Extra/rhash"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/Extra/rhash"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/Extra/rhash"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NetShred X 6.0.2/Extra/rhash]

/bin/zsh

[/bin/zsh -c /Users/run/NetShred X 6.0.2/Extra/rhash]

/usr/libexec/dmd

[/usr/libexec/dmd]

/Users/run/NetShred

[/Users/run/NetShred X 6.0.2/Extra/rhash]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
NL 23.209.125.28:443 tcp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 151.101.3.6:443 bag-cdn-lb.itunes-apple.com.akadns.net tcp
GB 23.200.147.24:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 151.101.3.6:443 bag-cdn-lb.itunes-apple.com.akadns.net tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1281.xml

MD5 4b83b8564ef37e681421517132a79483
SHA1 c53490db81ccdf4012fc0a184cb6bed56d2fde3c
SHA256 49ee8902d335eaa69e7a62b890f8f49d776187965315cc8a628b2530e50418ff
SHA512 107ec81b0d99c3c02836bce271a16fe3cb86da2fc191090da10de548b9ec0b6731eb4c4d293a62810acd5f9e9ffc4511278d187aff26cc2c21ae338aefb5ca67

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 b7513078ea000b610d91f1972a857551
SHA1 0a9d1b557ccdb84b36f2dc71008aec09efe2ad39
SHA256 8aa315a1f7c0596d9523f64fd744bb3092db69259e711a6476f09c45794f692c
SHA512 f00db2233f251975024609ec835a946447827d6d4183c80a98f329885436ceacea712253fab603c0c53d4dbb5666c6144980aea510077a0ee4a108a2552555cc

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Resources\en.lproj\Credits.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Resources\en.lproj\Credits.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 88.221.83.210:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 210.83.221.88.in-addr.arpa udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 241.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3704-0-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-1-0x00007FF81F16D000-0x00007FF81F16E000-memory.dmp

memory/3704-3-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-4-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-5-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-2-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-6-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-7-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-8-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-10-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-11-0x00007FF7DCAB0000-0x00007FF7DCAC0000-memory.dmp

memory/3704-9-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-14-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-13-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-12-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-16-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-17-0x00007FF7DCAB0000-0x00007FF7DCAC0000-memory.dmp

memory/3704-18-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-15-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-182-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-300-0x00007FF81F16D000-0x00007FF81F16E000-memory.dmp

memory/3704-301-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

memory/3704-374-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDFA13.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3704-520-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-521-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-523-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-522-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp

memory/3704-524-0x00007FF81F0D0000-0x00007FF81F2C5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

110s

Max time network

120s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib" N/A N/A
N/A /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib N/A N/A
N/A sh -c "sudo /bin/zsh -c \"/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib\"" N/A N/A
N/A sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib]

/bin/zsh

[/bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib]

/Users/run/NetShred

[/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/libConfigurer64.dylib]

Network

Country Destination Domain Proto
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

5s

Max time network

129s

Command Line

[/tmp/NetShred X 6.0.2/Open Gatekeeper friendly]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/find N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tnt17775/NetShred X 6.0.2 [TNT].dmg /bin/cp N/A

Processes

/tmp/NetShred X 6.0.2/Open Gatekeeper friendly

[/tmp/NetShred X 6.0.2/Open Gatekeeper friendly]

/usr/bin/clear

[clear]

/usr/bin/dirname

[dirname /tmp/NetShred X 6.0.2/Open Gatekeeper friendly]

/bin/rm

[rm -rf /tmp/tnt17775]

/bin/mkdir

[mkdir -p /tmp/tnt17775]

/bin/cp

[cp /tmp/NetShred X 6.0.2/Manual install/NetShred X 6.0.2 [TNT].dmg /tmp/tnt17775]

/bin/mkdir

[mkdir -p /tmp/tnt17775/mount]

/usr/bin/find

[find /tmp/tnt17775/mount -maxdepth 1 ! -type l ! -path /tmp/tnt17775/mount -exec xattr -r -d com.apple.quarantine {} ;]

/bin/sleep

[sleep 5]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 195.181.164.19:443 tcp

Files

/tmp/tnt17775/NetShred X 6.0.2 [TNT].dmg

MD5 b4445a1d2526685b24df671313e9417b
SHA1 c3b7b3a0ba012a428709695772c187407bf40797
SHA256 32d131386d46c189a87ac5425e448cbd9cfb10d1117d0f9084ff7cf3b1d7317b
SHA512 f5caf85550caaaeee5bf17992aba5bfac67254a68fc1827b571e4397d9433ec1d495b8ed6cbea8e27b6c3503414ce1dd301be16ca54999aee8a7a2be7ba90f32

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Library\LoginItems\LaunchAtLoginHelperApp.app\Contents\Resources\en.lproj\Credits.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Library\LoginItems\LaunchAtLoginHelperApp.app\Contents\Resources\en.lproj\Credits.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1132-0-0x000000002F371000-0x000000002F372000-memory.dmp

memory/1132-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1132-2-0x000000007171D000-0x0000000071728000-memory.dmp

memory/1132-11-0x000000007171D000-0x0000000071728000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 d6bca67483ae4fa020899c4433258768
SHA1 e994cf8377060edcfb8dc915d2b4dd9d5fe57d19
SHA256 b30a91ccd516b183c14ded5abda83df2b609c51b3d4f4cd3cb9340b74f13e557
SHA512 3be80c87adeb83bdae0ad653ef3e03cb089fa697f2b5a0e567a178fd022e0d720cc83f20a6d9bd5121a70c907afce698247d2d34ecb637381fab92e59f62c6f1

memory/1132-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Library\LoginItems\LaunchAtLoginHelperApp.app\Contents\Resources\en.lproj\Credits.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Library\LoginItems\LaunchAtLoginHelperApp.app\Contents\Resources\en.lproj\Credits.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 205.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 88.221.83.209:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
NL 104.97.14.241:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 209.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/712-0-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-1-0x00007FFBBAF6D000-0x00007FFBBAF6E000-memory.dmp

memory/712-2-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-5-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-4-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-6-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-3-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-8-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-7-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-11-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-13-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-12-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-10-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-15-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-17-0x00007FFB78D00000-0x00007FFB78D10000-memory.dmp

memory/712-16-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-14-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-9-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-18-0x00007FFB78D00000-0x00007FFB78D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD9227.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/712-446-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-492-0x00007FFBBAF6D000-0x00007FFBBAF6E000-memory.dmp

memory/712-493-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-494-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-513-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

memory/712-536-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-537-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-538-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-535-0x00007FFB7AF50000-0x00007FFB7AF60000-memory.dmp

memory/712-539-0x00007FFBBAED0000-0x00007FFBBB0C5000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:20

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

72s

Max time network

134s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/NetShred\ X\ 6.0.2"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/NetShred\ X\ 6.0.2]

/bin/zsh

[/bin/zsh -c open /Volumes/NetShred\ X\ 6.0.2]

/usr/bin/open

[open /Volumes/NetShred X 6.0.2]

Network

Country Destination Domain Proto
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.23:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
GB 17.253.77.202:80 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:25

Platform

macos-20240410-en

Max time kernel

129s

Max time network

142s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A sh -c "sudo /bin/zsh -c \"/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3\"" N/A N/A
N/A sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3" N/A N/A
N/A /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3" N/A N/A
N/A /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3 N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3]

/bin/zsh

[/bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3]

/Users/run/NetShred

[/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Resources/sqlite3]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 onedscolprdeus06.eastus.cloudapp.azure.com udp
US 20.42.73.25:443 onedscolprdeus06.eastus.cloudapp.azure.com tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
NL 23.209.125.28:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 23.200.147.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 cds.apple.com udp
PL 23.211.84.62:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1281.xml

MD5 4b83b8564ef37e681421517132a79483
SHA1 c53490db81ccdf4012fc0a184cb6bed56d2fde3c
SHA256 49ee8902d335eaa69e7a62b890f8f49d776187965315cc8a628b2530e50418ff
SHA512 107ec81b0d99c3c02836bce271a16fe3cb86da2fc191090da10de548b9ec0b6731eb4c4d293a62810acd5f9e9ffc4511278d187aff26cc2c21ae338aefb5ca67

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 40f11327470311a4ea0f8e66381dda36
SHA1 d5f7b45edec53dde9d12b7c998a04719f9b0e13e
SHA256 10a81d142beddbeb28a16a9da2e5647d3d4da9f35e75404ecb75a550356e5657
SHA512 2a4a8df15f15e7e9fa8756a57212e4342ec774d7e5929f711ee21653e42489651801d9580e093a66a3a69d0fec35f46a9b1ce311691de07fb220941f84943b95

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:20

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

138s

Max time network

148s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp]

/bin/zsh

[/bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp]

/Users/run/NetShred

[/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/Library/LoginItems/LaunchAtLoginHelperApp.app/Contents/MacOS/LaunchAtLoginHelperApp]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
DE 20.52.64.201:443 tcp
DE 51.116.246.105:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
GB 17.250.81.67:443 tcp
NL 17.253.53.204:80 tcp
US 8.8.8.8:53 cds.apple.com udp
PL 23.211.84.62:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

macos-20240410-en

Max time kernel

129s

Max time network

153s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X]

/bin/zsh

[/bin/zsh -c /Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X]

/usr/libexec/dmd

[/usr/libexec/dmd]

/Users/run/NetShred

[/Users/run/NetShred X 6.0.2/NetShred X.app/Contents/MacOS/NetShred X]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
DE 17.253.79.202:80 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 23.200.147.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe21-ssl.ls-apple.com.akadns.net udp
NL 23.63.101.177:443 tcp
GB 23.200.147.24:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
GB 23.200.147.27:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
PL 23.211.84.62:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/Users/run/Library/Caches/GeoServices/Resources/altitude-1281.xml

MD5 4b83b8564ef37e681421517132a79483
SHA1 c53490db81ccdf4012fc0a184cb6bed56d2fde3c
SHA256 49ee8902d335eaa69e7a62b890f8f49d776187965315cc8a628b2530e50418ff
SHA512 107ec81b0d99c3c02836bce271a16fe3cb86da2fc191090da10de548b9ec0b6731eb4c4d293a62810acd5f9e9ffc4511278d187aff26cc2c21ae338aefb5ca67

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 81563b5ff36f5f5dfd3086a0ee6ea296
SHA1 469d3dd8f5c24a9c8fdd5ebc127aeec69dcadf80
SHA256 6b9ece9b9a046bece1559d2c02e8128f182e99704bab53cbb04a033741718641
SHA512 25ef4103db30797a9918e621db5d424542e1e0b9ed0a2f185655543a65acad1227d3635a3eb93cc278a97413eee782ec7ec1c75060f7be6075f317d5c3403008

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 41531bfeb1fcaa0616c0cac52bb384d3
SHA1 4c17da98d22bc143f3ce373027ed8c9088a1d35d
SHA256 e011a72bbc74022b95a19b372a056dea8fc8a79528ec31ce0187a0192460c842
SHA512 20ce2edfe1860d8d79350ba8646ec6cf269aaba05f144fd57388c06ddb7db2e8248729c6775932400e3cd07759b4bf99a41bc3b83f17601814214239eb274325

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 5303f7aad334b526983e94d3c60a8e4b
SHA1 8bd985ad720466bdec0ddedc65e650ecde4ca332
SHA256 771c48bb7227928924e6c38fc221854afaa37c93430adcc7666acc601494e889
SHA512 68b7b31be6ee1f537709860fe84147c6623e2a96d1adc4198b39e0744da81fe8c2c5bc640d5c15fd2ec999f6b79c30b9390771a7be1eeb3e1972b829ec2ba9a7

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 54ac2dfc3277cc71d095814696c9d295
SHA1 8f0d1dfbdff79cd6d57bc961c6c3fd097ba48893
SHA256 c538c601d32e3052f7b1abeba70b33930f59b71d07abeb63578e4340334fc4da
SHA512 9c6feb5711798bb03f566cfdce44150d28e9ac7cf6b6668aef9e9293b367b91a00d69db06d07198a7e2e3c8ba161ef2238e143bea6b1957cc9298ce8e9e7009b

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Resources\en.lproj\Credits.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NetShred X 6.0.2\NetShred X.app\Contents\Resources\en.lproj\Credits.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2320-0-0x000000002F151000-0x000000002F152000-memory.dmp

memory/2320-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2320-2-0x000000007137D000-0x0000000071388000-memory.dmp

memory/2320-11-0x000000007137D000-0x0000000071388000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 2a50423610147164416b28836837fc67
SHA1 5d21cac3c67d1b0df871e49d18784d5c4ec7fb99
SHA256 24bf1d5dcb4d7f202ecd6cfb142ecfeec4b18205cc388f4c60d00c8b4e6400b6
SHA512 4d94071e5b9cb1135407a68e54b5ca1ce5a2b40c60a0d82bafbeba4bdc2383af0a83516f9138a760830ef4883d645ccb64e7a6acfd9f91603d17a493ea5267d3

memory/2320-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-11 04:19

Reported

2024-05-11 04:22

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A