cd8469ee9f5bd828bc3bd5dba6d8efabd49b03b2f1d0c5ee9ef7bc6363db4f38 | Triage

Analysis

max time kernel
13s

Sharing

General

Target

Docs_17d433cbe4e404b1092de9c213fec4bc.html
Sample

190824-wwxg4peyhn
SHA256

cd8469ee9f5bd828bc3bd5dba6d8efabd49b03b2f1d0c5ee9ef7bc6363db4f38

Score

N/A

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

description
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~1\\MICROS~1\\Office14\\ONBttnIE.dll/105"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~1\\MICROS~1\\Office14\\EXCEL.EXE/3000"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"

HTTP(S) URI 1 TTPs 8 IoCs

Modify Registry

description
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ShortcutUrl = "http://www.msnusers.com"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\NewWDUrl = "http://r.office.microsoft.com/r/rlidNetworkPlaces?clid=1033&app=Office10&select=no"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ManageWDUrl = "http://r.office.microsoft.com/r/rlidManageNetworkPlaces?clid=1033"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbPutDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=put"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\SignupUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=manage&users="
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbGetEmailUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=getprefemail"
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbGetDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=get&email="
\REGISTRY\USER\S-1-5-21-4187548167-391797178-4100960618-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\InfoUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll"

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 1 IoCs

description
C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Modifies registry class 1 TTPs 7 IoCs

Modify Registry

description
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979} (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0 (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0\ = "Microsoft Forms 2.0 Object Library"
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0\FLAGS (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0\FLAGS\ = "6"
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0\0 (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85A8195F-978D-4442-B838-513903FC3979}\2.0\0\win32 (CreateKeyEx)