Task
task1
Sample
Docs_4b290e4a9c72a8ccb01a945a516d06e8.3.doc
Resource
win7
0 signatures
Task
task2
Sample
Docs_4b290e4a9c72a8ccb01a945a516d06e8.3.doc
Resource
win10
0 signatures
General
-
Target
Docs_4b290e4a9c72a8ccb01a945a516d06e8.3
-
Sample
190924-52xmvffxta
-
SHA256
d07bbf9636c223b83dfe333c0428b41b909c19321e5f208bb805a2869cb358d5
Score
N/A
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener
-
Suspicious use of SetWindowsHookEx
-
Processes:
WINWORD.EXEat description ioc process 20717 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm WINWORD.EXE 20733 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm WINWORD.EXE 20733 File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm WINWORD.EXE 21481 File opened for modification C:\Users\Admin\AppData\Local\Temp\Docs_4b290e4a9c72a8ccb01a945a516d06e8.3.doc WINWORD.EXE 21591 File created C:\Users\Admin\AppData\Local\Temp\~$cs_4b290e4a9c72a8ccb01a945a516d06e8.3.doc WINWORD.EXE -
Drops file in system dir 3 IoCs
Processes:
WINWORD.EXEat description ioc process 21981 File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE 21981 File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE 25381 File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT WINWORD.EXE -
Modifies registry class 1 TTPs 280 IoCs
Processes:
WINWORD.EXEat description ioc process 23884 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC} WINWORD.EXE 23899 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0 WINWORD.EXE 23899 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE 23899 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\FLAGS WINWORD.EXE 23899 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\FLAGS\ = "6" WINWORD.EXE 23899 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0 WINWORD.EXE 23899 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0\win32 WINWORD.EXE 23899 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" WINWORD.EXE 23899 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\HELPDIR WINWORD.EXE 23899 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC} WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0 WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\FLAGS WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\FLAGS\ = "6" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0 WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0\win32 WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\HELPDIR WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\TypeLib\{AA68EBA2-97BD-4250-B683-D1C8D8CCEACC}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE 23899 Key created \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE 23899 Set value (str) \REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE -
Suspicious use of FindShellTrayWindow