Analysis Overview
SHA256
2a66921df80a7aae81231bcaf7eac77c4d755bb9418d08fad256c999d937492d
Threat Level: Likely benign
The file sample was found to be: Likely benign.
Malicious Activity Summary
Command and Scripting Interpreter: JavaScript
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 16:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 16:26
Reported
2024-07-10 16:29
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 16:26
Reported
2024-07-10 16:29
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetUninstall.docx" /o ""
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConvertFromOptimize.mpg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1376-0-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-1-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-3-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-4-0x00007FFDC546D000-0x00007FFDC546E000-memory.dmp
memory/1376-5-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-2-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-7-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-8-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-10-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-9-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-6-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-14-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-13-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-12-0x00007FFD830C0000-0x00007FFD830D0000-memory.dmp
memory/1376-11-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
memory/1376-15-0x00007FFD830C0000-0x00007FFD830D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | a5202d96f3d41e49b851ad0b3b991c22 |
| SHA1 | a010eb382c54d16dd20feaa69f22fd54438dc3ee |
| SHA256 | 9f5864c8de92bef78580c1368562493646b7a5aface06188d5b967b2f5f237be |
| SHA512 | beff460cb8390061ec640f5736df1cc9189d7fcc6188532216bc5e17e8bf6440d1aedf9652f7f7ef9c2e05a0d8d11409467d9659c8d46ea9c781b3cbf1a19725 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1376-65-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-68-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-66-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-67-0x00007FFD85450000-0x00007FFD85460000-memory.dmp
memory/1376-69-0x00007FFDC53D0000-0x00007FFDC55C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.GW4568
| MD5 | 8b52e9eee0e6c446fb94efccae9e43fc |
| SHA1 | d9fd83a13085eb31e2c64a75b53ea24e06a79c57 |
| SHA256 | ea4b912f8f7015faf0b481ba10b85c39f49f7d936ed803d16e0fec60e66a3d12 |
| SHA512 | 925cb0e04aa4022f0453ba1e45091e9e5466fab84d4f8d4a4e6c9139b71b7fbe31822d7b996f3a77ba4936eaa62295d85c6f1d85669695131a24868bc2e40db1 |
memory/4568-93-0x00007FF7E3470000-0x00007FF7E3568000-memory.dmp
memory/4568-94-0x00007FFDBB470000-0x00007FFDBB4A4000-memory.dmp
memory/4568-95-0x00007FFDA76C0000-0x00007FFDA7976000-memory.dmp
memory/4568-96-0x00007FFDA5AB0000-0x00007FFDA6B60000-memory.dmp