Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
CPM Packing V4.doc
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: CPM Packing, Author:
, Template: Normal, Last Saved By: Stefanie Butler, Revision Number: 2, Name of Creating Application: Microsoft Office Word,
Last Printed: Tue Jul 10 13:57:00 2012, Create Time/Date: Sat Jun 30 16:30:00 2018, Last Saved Time/Date: Sat Jun 30 16:30:00
2018, Number of Pages: 8, Number of Words: 1049, Number of Characters: 5982, Security: 0
|
initial sample
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{4DED5C6A-1761-4786-961A-5F5287EDAFD1}.tmp
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DD7503E-D112-4243-9235-58AC77741C33}.tmp
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9BCC7CD1-ED54-4E14-9DA6-D615130C6A08}.tmp
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B402D7-918F-4449-A5AF-6E918A27D07F}.tmp
|
data
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\~DF1469EBB44199A005.TMP
|
data
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\CPM Packing V4.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:08
2023, mtime=Fri Aug 11 15:42:08 2023, atime=Fri Oct 4 08:08:49 2024, length=4582912, window=hide
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
Generic INItialization configuration [folders]
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
|
data
|
dropped
|
||
C:\Users\user\Desktop\~$M Packing V4.doc
|
data
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
|
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
|
||
C:\Windows\System32\wbem\WmiPrvSE.exe
|
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
| /
|
||
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word
|
Enabled
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
|
MTTT
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
3!/
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
|"/
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\297DC
|
297DC
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\Trusted Documents
|
LastPurgeTime
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
WORDFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
There are 4 hidden registries, click here to show them.