Malware Analysis Report

2024-12-07 22:16

Sample ID 240808-ge1rcszfpn
Target PO 00082811.docx
SHA256 64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c

Threat Level: Known bad

The file PO 00082811.docx was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Blocklisted process makes network request

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Abuses OpenXML format to download file from external location

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 05:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 05:43

Reported

2024-08-08 05:46

Platform

win7-20240704-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 236 set thread context of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\fkslfile21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\fkslfile21.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 592 wrote to memory of 236 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 592 wrote to memory of 236 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 592 wrote to memory of 236 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 592 wrote to memory of 236 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 3056 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3056 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3056 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3056 wrote to memory of 628 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 236 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe
PID 236 wrote to memory of 444 N/A C:\Users\Admin\AppData\Roaming\fkslfile21.exe C:\Users\Admin\AppData\Roaming\fkslfile21.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\fkslfile21.exe

"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fkslfile21.exe"

C:\Users\Admin\AppData\Roaming\fkslfile21.exe

"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 asmlholdings.top udp
US 104.21.65.25:443 asmlholdings.top tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 104.21.65.25:443 asmlholdings.top tcp
US 104.21.65.25:443 asmlholdings.top tcp
US 212.162.149.80:2404 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp
US 212.162.149.80:2404 tcp

Files

memory/3056-0-0x000000002FCE1000-0x000000002FCE2000-memory.dmp

memory/3056-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3056-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{BB564371-7C2F-4719-A4C9-FE1B35C19BFC}

MD5 009ef011f1529b96d6aae00463a459fb
SHA1 e6e169408b083cde219e0503e26d990a825b7b23
SHA256 ee025c54b81841628a810d34a0e1e959a181fe7a4e7f549d08662e0191b08550
SHA512 5b24d517eee63f4f219c79efed75d67253ce8e037c1ec6bce68a5b84060a87b4544d544c1044479c199aee8b5ec48516647208ff6fce4a595d9a805f8cef344b

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2563E8A6-1FE6-42FD-9318-C5158192E301}.FSD

MD5 8d03f8066a93cf4684ec150ee167153f
SHA1 ed90016c52dcee7f25b90f70da97ccfb32f3a962
SHA256 9a2d53bfc2ef48f3ab3aca70105fc33e0d7039947cfd19d576cb5fa33cbb3e2a
SHA512 389be91a4420a58713cef792f1008d9b47b1802638ff88fb1fc0f446ab1446627003f1185255e1805cac0b20e5328729eabfda85d134e2d5931a7142770db646

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2563E8A6-1FE6-42FD-9318-C5158192E301}.FSD

MD5 060ede675bc420eabbda5d0c04f882fa
SHA1 3d9cfdc6e07798259ec6bc287b100d3c70a609da
SHA256 055d33f197585838df1e79f81f435196e07ec11f9e5484fd303acb349d461400
SHA512 d67f4de6edb2db2ef3d32265aa8e59f7bcd177a7ff4a7a41ed231bd0ba59891fe0530ae6aa83d26d0691f2492492a003ea3477eb3f029df12dd92d1f45a0a6ea

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 e7550825e5d6484236451ecd45d45bd1
SHA1 edc0e1cc06e0caf33898781c250978a0c813c266
SHA256 aecacc86c89c4bafc881bc1a7853e7e5a21b1e24a3972815cd7160a2d52039f6
SHA512 9d93826afafbc6c54efe6c227443f2cb6e3818bea10ebf86728dabfcaf6499accec4946e6b64c606820589069f70e88b7ed60e1f520d8ca7fa20a21d2126e1e6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{9EB0E5DE-D8D1-454A-BCA6-C7380C53F7CD}.FSD

MD5 a2d3b8c89ba146ad19b0901296c83a21
SHA1 cf3a28e14202ba187eb73267beaf4fdd1d87a4d3
SHA256 7dff45bce6b8bea2bbff138cf3f3e69a13b65e22ffaff4d152de3830c104245e
SHA512 18e58d64e441fa38fda421995b3b1ad601e4e68fecedf6edf7886bcf7143a005258df0ab773d4f8f9e501f683a85f5fc41f7874839ed959407b1784f50d6454c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\eWjsdnqwKllAbeP[1].doc

MD5 f7e4812fd83625cdfe19159f6d2fefa9
SHA1 15a20c40783e01f60135619b8358d1f1df0beb14
SHA256 fa22ac754b94cc3093cad88b03f0d2b1aa4b4c52a494c7a0b1db761acffbb5e7
SHA512 51bfab21f0d18c4c7bcdfff776cb771949bdf29f43dab37767fb6d7cc64bb8996d730b39aa949b5f12d991dcd1e7cbbd953301581877bf165fd03c5ed33ef23d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 3e5df4a10e90388834416350eb1edc40
SHA1 20e1d12226c50e5ffc92b2c6e352ff3c7ec01f0d
SHA256 55c39211591ad6c4751cbd782e881b7dece3e22d5df8501f29ff20f5abc2ae7e
SHA512 a12354b68ed4a095a9105611c126f399112ad7041f82d015c95ffa7d871a1efd0c8db7e96ad9495f81faa1c1e606a730fb8693199e0a485d2c114e87e6820e07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 5011b480132bf05b08c4d6a26b70863b
SHA1 791be199b0852223ac0edf423037fbe5535de9a1
SHA256 62cec370a5f65fc7959388db79892266dda4a5424edf3a28db7a98944b4788bd
SHA512 c362b103937ca1ee615969bce34c2a6392dc83019dbbe95d922b3c8271b307e403adfc0f47fbd586c29d7aef7f0b9b7dea904e67e8c45672baa4311844a75e25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e9559da489afce990d3e2dfccab207b
SHA1 731acfb488867f9ee22ced6214a20d2063d2e199
SHA256 f6ac96a93f48f95a5b55c068d15565153fba0bfc82f98ece59eb3ee165f10f39
SHA512 fa7dd9bf4866a71b414d67529ddced98d33a7e4a8fa00beb3b65b61e5be1b1c8010504d29d238e90b70729612a52f58cb50be0916bad0a0aef275bce6796a080

C:\Users\Admin\AppData\Local\Temp\Cab8D32.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Users\Admin\AppData\Roaming\fkslfile21.exe

MD5 7b1741b5341b1cd8293ac7a054bfc1e0
SHA1 80b5a55aefd1385e6d87b776af30e12efeb026dc
SHA256 dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4
SHA512 0f9f0489b3abbc77da870882306a0967071dc35f543e8da80d582a2c1765548a80fe4854b87934f34239b2ae4fa1e44485ead934036b1793fbc947327398a07e

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 6731202880c780d1d531a198cf711c27
SHA1 55cd56f978ab693923ed544695c293f9eb9bedbf
SHA256 898687d61c479495306d6324a0030def487ac1c63c353a7769c17d33f740af05
SHA512 4eb0e73478b0dafe93e4fe316948b72acbeb87c9242b2fe3f6905eb5996642570b501a380530f4c5a8e4453a823f689f215a8b535ebae509c8fdacaa1b3f0900

memory/236-124-0x0000000000D80000-0x0000000000E7E000-memory.dmp

memory/236-126-0x0000000000A80000-0x0000000000A9A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/236-133-0x00000000009F0000-0x00000000009FE000-memory.dmp

memory/236-134-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

memory/236-135-0x0000000004F50000-0x0000000005010000-memory.dmp

memory/444-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-138-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-156-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-160-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-152-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/444-150-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3056-164-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

memory/444-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-169-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7354ca0f5f1142ea9151487cab0f3091
SHA1 d990547afc710b300dbef6aa15a995ebc1556eae
SHA256 322c5ce18cc1635aaa198505217e02790c6fb14e4e39349f8ca6c356199a63f6
SHA512 6e2a01f0f542f4c488ec3436647821ef9b5aa6061f5a2480226d28ce288295c0ea27f97a1f344ebbe40e13bf6958163259d40234bf60b40c4e37e5ce89aed2f6

memory/444-174-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-175-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-181-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-182-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 09a76ea5f37962556160053592b37971
SHA1 58fbf39eae16180177068d5bbfee362565bbbc75
SHA256 51003a5a7f8d4c20f33758b954566565cb2fc98d035f8b89ca8a6b63c4527c46
SHA512 a4e35233c71a64a15d32f821311ddeea148746518e4dc011737d38e44c56cd902072e5e2014f1b2229d06c6d2f70c549efe01d53eabca3edd41abd350cb826f7

memory/3056-208-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3056-209-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

memory/444-211-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-212-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-217-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-219-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-224-0x0000000000400000-0x0000000000482000-memory.dmp

memory/444-225-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 05:43

Reported

2024-08-08 05:46

Platform

win10v2004-20240802-en

Max time kernel

100s

Max time network

137s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 asmlholdings.top udp
US 104.21.65.25:443 asmlholdings.top tcp
US 8.8.8.8:53 25.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 104.21.65.25:443 asmlholdings.top tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.179.131:80 c.pki.goog tcp
US 104.21.65.25:443 asmlholdings.top tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 184.50.114.18:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 18.114.50.184.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

memory/3484-0-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-1-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-2-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-3-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-4-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-5-0x00007FF98BEAD000-0x00007FF98BEAE000-memory.dmp

memory/3484-6-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-9-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-10-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-8-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-7-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-11-0x00007FF949DA0000-0x00007FF949DB0000-memory.dmp

memory/3484-12-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-15-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-14-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-16-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-20-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-21-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-19-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-18-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-17-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

memory/3484-13-0x00007FF949DA0000-0x00007FF949DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\eWjsdnqwKllAbeP[1].doc

MD5 f7e4812fd83625cdfe19159f6d2fefa9
SHA1 15a20c40783e01f60135619b8358d1f1df0beb14
SHA256 fa22ac754b94cc3093cad88b03f0d2b1aa4b4c52a494c7a0b1db761acffbb5e7
SHA512 51bfab21f0d18c4c7bcdfff776cb771949bdf29f43dab37767fb6d7cc64bb8996d730b39aa949b5f12d991dcd1e7cbbd953301581877bf165fd03c5ed33ef23d

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 a13afbd32799762c24e7fd1fd13ed4bb
SHA1 30060f91224518e88e2c8421a17468db8f4b6640
SHA256 5c0a5df91e15954835e8bef0d6b1ef7e942024990201d599afd7f6a349d036b4
SHA512 eaed606ccf4f7674198fec49d739150c6f530a098b9fc5bdf4c78d91167c50ea3b845f9457397ba6ae9a1c8cbebe946f39462b87b23415b44c7cb195478ca017

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 bc688b7d76078bb54425b3e4063ac497
SHA1 a23a6a3a36e2075749737c439d27b4a6b7083b17
SHA256 20752cd2806299f67d88b3a30a445bf30ec4a5b1c81e89a02a27e475d666b26a
SHA512 061735958a4d6bc13f927d5912a95a17d9c2dbccbd0b4c44743588fcaf21d5a9d84a5332acd6ff0a3926c9fbd7a025edcdad72341a9320ab3d3a9999ee01c0e8

memory/3484-85-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD4386.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/3484-588-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-587-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-590-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-589-0x00007FF94BE90000-0x00007FF94BEA0000-memory.dmp

memory/3484-591-0x00007FF98BE10000-0x00007FF98C005000-memory.dmp