487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

Analysis

max time kernel
619s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Size

34KB
MD5

3fb34964fa7b8c6bfad8d960380ff04e
SHA1

9a3aec40056ce74bac833989ed71dfb6c2626f4c
SHA256

26026b1b3d0cb660c6be6c536df679acca0b5562a3adbb507d001474d23f5650
SHA512

a82b522dfd7eac30292a9e9ab19ddac94563804e77a1090e5f44de7e794ef4e5ebe0e7fb36e5177479417c8176ae0475613700755ca015c7ce941a4740215faa
SSDEEP

384:bzIPMepSbSsG/CdPvunCpeJzKoSS3D6JO5LfBqtjbjk4Eohubn3ezta:nIPMecWsGKVunFFRDE6pqjhust

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000f000000023f46-192.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
760	WINWORD.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008a5a7a9112004170704461746100400009000400efbe8a5a7a918d5aa13c2e0000005de10100000001000000000000000000000000000000758506014100700070004400610074006100000016000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000008d5aa13d100054656d7000003a0009000400efbe8a5a7a918d5aa33d2e00000071e10100000001000000000000000000000000000000fb0d8c00540065006d007000000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008a5a7a911100557365727300640009000400efbe874f77488d5aa03c2e000000c70500000000010000000000000000003a00000000003935170155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\NodeSlot = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008a5af699100041646d696e003c0009000400efbe8a5a7a918d5aa03c2e00000052e10100000001000000000000000000000000000000dc18a800410064006d0069006e00000014000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5e003100000000008d5aa03c10005649525553537e310000460009000400efbe8d5aa03c8d5aa13c2e00000061420200000008000000000000000000000000000000914f76007600690072007500730073006800610072006500000018000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000008a5a899910004c6f63616c003c0009000400efbe8a5a7a918d5aa03c2e00000070e10100000001000000000000000000000000000000c222ef004c006f00630061006c00000014000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = 44003100000000008d5aa33d10003300340009000400efbe8d5aa03c8d5aa33d2e000000714202000000070000000000000000000000000000002e5117013300000010000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0	WINWORD.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD2504.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0405.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
760	WINWORD.EXE
760	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
760	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeAuditPrivilege	760	WINWORD.EXE
Token: SeDebugPrivilege	3904	taskmgr.exe
Token: SeSystemProfilePrivilege	3904	taskmgr.exe
Token: SeCreateGlobalPrivilege	3904	taskmgr.exe
Token: 33	3904	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3904	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
760	WINWORD.EXE
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe
3904	taskmgr.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
3504	OpenWith.exe
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 5288	3504	OpenWith.exe	102
PID 3504 wrote to memory of 5288	3504	OpenWith.exe	102

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\3\VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc" /o ""
  2⤵
  PID:5288

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3904

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C38FC017-BAFF-46F6-BE79-7E6CDC3711F8

Filesize
178KB

MD5
a6789cf8513fde42d0156e7899cb6d76

SHA1
64f89366a15a9c525bf3651daba77caa243eb6cd

SHA256
1253e4625cf9dba64807aa9028ac69be5c98d910ee5aa12de64637f9b10bf333

SHA512
1778d2c6fdd34ce9a49bc977be7ec40214cd020f7790d670927a92ddf86e4dd19ab405b378956bf600c5cee4ca1f841db05bc94db32654c1d3ed362636b33b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
333KB

MD5
f17301bdb75b75fc090bc027156e6eb7

SHA1
e38c39df185e19d0cbec8b91f5f3cef712407204

SHA256
cde2198bd1da248935802e2dd9a12747210d3a57a9a392d5b42bb6b51a451f86

SHA512
585f73b2c2ad21ec31ca0849c32b5fb41b6a3a118631412e88629e759789649ef9e30d2bb3f3b9c18bfc97bbbb987503809e93df071a5edfa8055396a0e9c810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
e8c79d7bccdec8921bc9dfc2a8c38d17

SHA1
a34528e8040000af66a58787e7026258ff9b4d0a

SHA256
1157756181be81b94dc34f36225ab0c5a7cb93ce8cebf66ab03886139309fdfa

SHA512
e1e39762638640563c371145dcad6ab7a3a24a20170a93c8ff009c55b6c48e9d3de473155fe1670714816508377ac95476ca1fc94fa97604bcb026f83cc0fbb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
4e6988b0de16b8ce2149f63ca50c66a5

SHA1
7e862f274cded861637e36c0998b6db8cdc48027

SHA256
944d8370fa4dcb856a9adcb2084de2ee45bc39c9545ad07329fa60ec3177967e

SHA512
0758a68955655570e5b9f650ddb546598e874850733f28b27529c8334ebc0d0a3606d09e3735d71a287c1d3b557ccbf7f13e6bc27cb372930cad2eefea305dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
afad893c46ae0c1aa1dea154b8939e27

SHA1
ddbfc7977873388f303e3852b6751ed2b121e2b6

SHA256
9f236340bea91bc12dd17da9a7f5f5f6b3a81501fe4ff0d74d4f576a5e0fe124

SHA512
4f0e8ff685c9775a10da22925fa48da5575b19db23572b09a149a478974afc1da991af8697c71cfb0250da6e44d688bffd7c5b159ec4a24da94e976eb1286d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD78CE.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\3\~WRD0003.tmp

Filesize
35KB

MD5
efbbb94499b696861772c1c63dd663ba

SHA1
93f746a1a84fde9a89a7c4bbafeb11c44d61c265

SHA256
2653cc8854f8a2e7d3c2627cea40843bdf4772f2120b795e7b9091c40d3513f5

SHA512
f8bdaff70c99c7444515568b280a04b3b7d4496f896fc291727fcd3987af3148942665451cc9d508238991e4cde99314fd534c84f8711853547c621f4dc79ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
332B

MD5
3d5cf6d4cb8c61babb18248a096f4c1c

SHA1
d7f583d655c51486a2ac53ad7d3e8d339db3ea5a

SHA256
3698c18168e6c212fac48ac82a51b7ae16958e5143b82dd092d59cc1e84a2327

SHA512
ff3f47a912a05263b361a8cfdb3440e6933c6d5153c1b79779e503e56b8f74eab90fa5d7fd17b5851217262fcbf0cde65467859c12fb6dfedca0e87e8c3dc13d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
7ae81353be1936031e6015961b9e8862

SHA1
4032717332ab42325adf6a2586b5ac3233dbef82

SHA256
22fd9d50672b807f20e8f37d078ade92bb14ac21608179afa27bb15366c19695

SHA512
11bbe92a6f9fc2b65b0dcb08e361ef9c3a41d0d8fe0020bc4f4215873580f44c1cf0801d090fb44b14a49856d800994b7cd2d9f25d25ffbba0f212ba998abaf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of ~WRL0405.asd

Filesize
96KB

MD5
913fa23945b65b5d26cdeae22426d0cf

SHA1
1c3738e0170ecee13317c8b64df170c5c5b18a00

SHA256
0feacd15cdbea16769bd51090edd14aaa04f38411db39e710c9ddfe60ed5455c

SHA512
881c22bf8c1329dc438f10a70893d1101f89541a9192ce7b98d7ae51c2a62486b798c895b5667961fced97ef2a911910ba370cc3e21e94aeeb488e4fd59a0bd2

Download Submit
memory/760-31-0x00007FFBD3DCD000-0x00007FFBD3DCE000-memory.dmp

Filesize
4KB

Download
memory/760-13-0x00007FFB91990000-0x00007FFB919A0000-memory.dmp

Filesize
64KB

Download
memory/760-14-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-7-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-6-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/760-5-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-19-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-32-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-17-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-18-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-20-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-15-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-0-0x00007FFBD3DCD000-0x00007FFBD3DCE000-memory.dmp

Filesize
4KB

Download
memory/760-1-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/760-3-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/760-22-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-2-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/760-21-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-305-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-4-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/760-8-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-16-0x00007FFB91990000-0x00007FFB919A0000-memory.dmp

Filesize
64KB

Download
memory/760-10-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-11-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-9-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/760-12-0x00007FFBD3D30000-0x00007FFBD3F25000-memory.dmp

Filesize
2.0MB

Download
memory/2136-316-0x00007FFB91990000-0x00007FFB919A0000-memory.dmp

Filesize
64KB

Download
memory/2136-311-0x00007FFB91990000-0x00007FFB919A0000-memory.dmp

Filesize
64KB

Download
memory/3904-367-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-368-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-365-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-364-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-360-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-359-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-358-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-366-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-370-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/3904-369-0x000001A0E5F30000-0x000001A0E5F31000-memory.dmp

Filesize
4KB

Download
memory/5288-265-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/5288-263-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/5288-262-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download
memory/5288-264-0x00007FFB93DB0000-0x00007FFB93DC0000-memory.dmp

Filesize
64KB

Download