33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de

Target

HRCComplaintProcedureForm (7).doc
Size

80KB
MD5

a411bb05ee4192202c88efdbd54552db
SHA1

6b0acf8175d39a1008bf9fb0d3c45bb63a3361e9
SHA256

33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de
SHA512

6e424b2c2a7881d4969ddfaef595822f3d987e8fc49f578118c6d4ba25461ef53613405394f4ac366606ecfda08ede4d22f436f182aaee82ba9b5f7962cce6f4

Score

5^/10

persistence

Malware Config

Signatures

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Office loads VBA resources, possible macro or embedded object present
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

2040 ipconfig.exe
1312 NETSTAT.EXE
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

helppane.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main helppane.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1440 WINWORD.EXE

pid	process
2040	ipconfig.exe
1312	NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

pid	process
1440	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AUDIODG.EXEhelppane.exeNETSTAT.EXE

description	pid	process
Token: 33	552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	552	AUDIODG.EXE
Token: 33	552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	552	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	1920	helppane.exe
Token: SeTakeOwnershipPrivilege	1920	helppane.exe
Token: SeTakeOwnershipPrivilege	1920	helppane.exe
Token: SeTakeOwnershipPrivilege	1920	helppane.exe
Token: SeDebugPrivilege	1312	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid process

1920 helppane.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEhelppane.exe

pid process

1440 WINWORD.EXE
1440 WINWORD.EXE
1920 helppane.exe
1920 helppane.exe
1440 WINWORD.EXE

pid	process
1920	helppane.exe

pid	process
1440	WINWORD.EXE
1440	WINWORD.EXE
1920	helppane.exe
1920	helppane.exe
1440	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 868 wrote to memory of 2040	868	cmd.exe	ipconfig.exe
PID 868 wrote to memory of 2040	868	cmd.exe	ipconfig.exe
PID 868 wrote to memory of 2040	868	cmd.exe	ipconfig.exe
PID 868 wrote to memory of 1312	868	cmd.exe	NETSTAT.EXE
PID 868 wrote to memory of 1312	868	cmd.exe	NETSTAT.EXE
PID 868 wrote to memory of 1312	868	cmd.exe	NETSTAT.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\HRCComplaintProcedureForm (7).doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms
1⤵
PID:2024

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1260

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms
1⤵
PID:1012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2024

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Modifies service
- Gathers network information
PID:2040

C:\Windows\system32\NETSTAT.EXE
Netstat -a -n -o
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1312

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-0-0x000007FEF8150000-0x000007FEF83CA000-memory.dmp

Filesize
2.5MB

Download
memory/1312-10-0x0000000000000000-mapping.dmp

Download
memory/1920-8-0x0000000005D70000-0x0000000005D93000-memory.dmp

Filesize
140KB

Download
memory/2040-9-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads