f16432e6a2680259bc0abf8ea9e6da37b7d887659967b19fa4126c4e8e16635a

General

Target

question.07.20.doc
Size

113KB
MD5

6f768e41513d55db49d7453b5ffa836d
SHA1

6b585309500cf3ba34d8fbe17238faafebc064f6
SHA256

f16432e6a2680259bc0abf8ea9e6da37b7d887659967b19fa4126c4e8e16635a
SHA512

47bcd56ffd836658ee7fb01c41f765fa7ea3c718255cfdb220e825f3a55802b6e25fc9a825f02ee3a85ff8a2a517fce7ce57a73a0ba09d56f53b8404061242a8

Score

10^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1496	WINWORD.EXE
1524	iexplore.exe
1524	iexplore.exe
472	IEXPLORE.EXE
472	IEXPLORE.EXE
1912	iexplore.exe
1912	iexplore.exe
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1976 regsvr32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1524 iexplore.exe
1912 iexplore.exe

pid	process
1976	regsvr32.exe

pid	process
1524	iexplore.exe
1912	iexplore.exe

Checks whether UAC is enabled 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab80000000002000000000010660000000100002000000086f216f29b79d95b7e3ef63cd9dfe0f0a9f8b7f2a50ad89f9bc999cfa1de7e49000000000e80000000020000200000008a266d043938d158e9c9747a709d2dd6f428d37d3e19cf438d113c56180f02be900000002bec7cbc4b784b72128ca08547d86b873619467b7056759fa5af45392baecb354f171d95dc3db2b953477c2350a89db1420f552c317897ea16dd10c952077a5d49fa6dab5c3413e7cb12ac8ca7b7be6f03ecf57ed1ea03edf40a552b751fb5535295600873f3157cc1ead442aad107e32f8b09924cf2ce3376d4b0ebe6efeed5be6814261b3228484e90ec1b3c844ac940000000c9604bc469c43e6a7b684d69d265bf3e30679f2b4d2d16e39663ae5b85bd50a7797d438d1e85fd83be46e18ba07df08c0b6320dd90d8af842f850c3b7faec996	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED766C21-C0EE-11EA-A382-5A6C71686AEC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D45DCD01-C0EE-11EA-A382-5A6C71686AEC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab800000000020000000000106600000001000020000000243fb89fb2e826e8d66ebe3d6a4a7aa5b324a80b566bb0c9003205ea343831ec000000000e800000000200002000000081d646d9a92d9bf8a52d2a119a2ee711b2a521f5b4ad206117e8a41f01e5e1a220000000e22e46e0197102184413e91a2296b76c761aa0b59066f2705409774ce3cda1ac40000000bd6d347cb47b602c4fce91c302bb4f5e1775cb0d176e1bad6e6e3723ac7b7cef9a75107066dce0199d26a7b31bff4a89419c7e20755849e8aa28f8f59a58e51c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0dd7ba9fb54d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1968	1496	regsvr32.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WINWORD.EXEregsvr32.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1496 wrote to memory of 1968	1496	WINWORD.EXE	regsvr32.exe
PID 1496 wrote to memory of 1968	1496	WINWORD.EXE	regsvr32.exe
PID 1496 wrote to memory of 1968	1496	WINWORD.EXE	regsvr32.exe
PID 1496 wrote to memory of 1968	1496	WINWORD.EXE	regsvr32.exe
PID 1496 wrote to memory of 1968	1496	WINWORD.EXE	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1968 wrote to memory of 1976	1968	regsvr32.exe	regsvr32.exe
PID 1524 wrote to memory of 472	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 472	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 472	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 472	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 1944	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 1944	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 1944	1524	iexplore.exe	IEXPLORE.EXE
PID 1524 wrote to memory of 1944	1524	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1128	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1128	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1128	1912	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1128	1912	iexplore.exe	IEXPLORE.EXE

Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question.07.20.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" kE.tmp
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\regsvr32.exe
kE.tmp
3⤵
- Loads dropped DLL
PID:1976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:472

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:209940 /prefetch:2
2⤵
PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kE.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\kE.tmp

Download Submit
memory/472-7-0x0000000000000000-mapping.dmp

Download
memory/472-8-0x0000000006920000-0x0000000006943000-memory.dmp

Filesize
140KB

Download
memory/1128-9-0x0000000000000000-mapping.dmp

Download
memory/1968-3-0x0000000000000000-mapping.dmp

Download
memory/1976-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads