prochollow.doc

General
Target

prochollow.doc

Filesize

143KB

Completed

17-03-2020 22:19

Score
10 /10
MD5

b107f3235057bb2b06283030be8f26e4

SHA1

b12d2984830eee5ef668032cc13691706efce4a5

SHA256

5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d

Malware Config
Signatures 9

Filter: none

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    3api.ipify.org
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1832WINWORD.EXE
    1832WINWORD.EXE
  • Process spawned unexpected child process
    svchost.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process19201832svchost.exeWINWORD.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
    PID 1832 wrote to memory of 19201832WINWORD.EXEsvchost.exe
  • Suspicious use of SetThreadContext
    WINWORD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1832 set thread context of 19201832WINWORD.EXEsvchost.exe
  • Modifies registry class
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{76C9D49E-A559-42DC-916B-F3C74C90D853}\2.0\0WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\TypeLib\{76C9D49E-A559-42DC-916B-F3C74C90D853}\2.0\FLAGS\ = "6"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{76C9D49E-A559-42DC-916B-F3C74C90D853}\2.0\HELPDIRWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{76C9D49E-A559-42DC-916B-F3C74C90D853}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"WINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    1832WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    svchost.exe

    Reported IOCs

    pidprocess
    1920svchost.exe
  • Office loads VBA resources, possible macro or embedded object present
Processes 2
  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\prochollow.doc"
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    Suspicious use of SetThreadContext
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    PID:1832
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      Process spawned unexpected child process
      Suspicious behavior: EnumeratesProcesses
      PID:1920
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1832-2-0x0000000008A60000-0x0000000008A64000-memory.dmp

                          • memory/1832-6-0x0000000007210000-0x0000000007410000-memory.dmp

                          • memory/1920-7-0x0000000000400000-0x0000000000407000-memory.dmp