Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-12-2020 13:08
Static task
static1
Behavioral task
behavioral1
Sample
prescrivere 12.20.doc
Resource
win7v20201028
General
-
Target
prescrivere 12.20.doc
-
Size
145KB
-
MD5
b53e10e01be1eff9f160d798c7292058
-
SHA1
3f553e215de6b65fad42346d5891482a17d53555
-
SHA256
e5cb6bf749b22e4232541bdd75087559bcba643bed551040ec74a561d8de259d
-
SHA512
e5a454a96e047a84df1778bb38cf271f32484d84a3bcd8125d4ad687c9650abb4237b1f572b1a878e101efadfffe47dbffb6924e795d3a387336a30fb717575d
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1760 1992 regsvr32.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1760 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
iexplore.exeWINWORD.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61F5ABA1-3569-11EB-91BA-FE04141E889F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1992 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1852 iexplore.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEpid process 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1852 iexplore.exe 1852 iexplore.exe 1060 IEXPLORE.EXE 1060 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WINWORD.EXEiexplore.exedescription pid process target process PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1760 1992 WINWORD.EXE regsvr32.exe PID 1992 wrote to memory of 1672 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1672 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1672 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 1672 1992 WINWORD.EXE splwow64.exe PID 1852 wrote to memory of 1060 1852 iexplore.exe IEXPLORE.EXE PID 1852 wrote to memory of 1060 1852 iexplore.exe IEXPLORE.EXE PID 1852 wrote to memory of 1060 1852 iexplore.exe IEXPLORE.EXE PID 1852 wrote to memory of 1060 1852 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\prescrivere 12.20.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 c:\programdata\GsXVM.pdf2⤵
- Process spawned unexpected child process
- Loads dropped DLL
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\GsXVM.pdfMD5
077f36d2ffcf5ee8c2c240f73327d45d
SHA1521d1b499a7039c4cc792b612c12bf17c81f5823
SHA256f48cd2a30ec043340a606a7ae60fbb91a7fd938be937ff08a10463734f89adc4
SHA512aabe08bd5c849e08886916191f45384454c2f372c67f2fd3e2b8a83cd91ccf0dc48f2273838564cb02ba4d033a9fb8fd811e9371c1d0ac2713a4674493f1b62c
-
\ProgramData\GsXVM.pdfMD5
077f36d2ffcf5ee8c2c240f73327d45d
SHA1521d1b499a7039c4cc792b612c12bf17c81f5823
SHA256f48cd2a30ec043340a606a7ae60fbb91a7fd938be937ff08a10463734f89adc4
SHA512aabe08bd5c849e08886916191f45384454c2f372c67f2fd3e2b8a83cd91ccf0dc48f2273838564cb02ba4d033a9fb8fd811e9371c1d0ac2713a4674493f1b62c
-
memory/1060-9-0x0000000000000000-mapping.dmp
-
memory/1672-7-0x0000000000000000-mapping.dmp
-
memory/1760-4-0x0000000000000000-mapping.dmp
-
memory/1992-3-0x00000000003C6000-0x00000000003CA000-memory.dmpFilesize
16KB
-
memory/1992-2-0x00000000003C6000-0x00000000003CA000-memory.dmpFilesize
16KB
-
memory/2040-8-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB