e5cb6bf749b22e4232541bdd75087559bcba643bed551040ec74a561d8de259d

General

Target

prescrivere 12.20.doc
Size

145KB
MD5

b53e10e01be1eff9f160d798c7292058
SHA1

3f553e215de6b65fad42346d5891482a17d53555
SHA256

e5cb6bf749b22e4232541bdd75087559bcba643bed551040ec74a561d8de259d
SHA512

e5a454a96e047a84df1778bb38cf271f32484d84a3bcd8125d4ad687c9650abb4237b1f572b1a878e101efadfffe47dbffb6924e795d3a387336a30fb717575d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1760	1992	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1760 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1760	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61F5ABA1-3569-11EB-91BA-FE04141E889F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1852 iexplore.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1852	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXE

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1852	iexplore.exe
1852	iexplore.exe
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXEiexplore.exe

description	pid	process	target process
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1760	1992	WINWORD.EXE	regsvr32.exe
PID 1992 wrote to memory of 1672	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 1672	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 1672	1992	WINWORD.EXE	splwow64.exe
PID 1992 wrote to memory of 1672	1992	WINWORD.EXE	splwow64.exe
PID 1852 wrote to memory of 1060	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 1060	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 1060	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 1060	1852	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\prescrivere 12.20.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\GsXVM.pdf
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1760

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\GsXVM.pdf
MD5
077f36d2ffcf5ee8c2c240f73327d45d

SHA1
521d1b499a7039c4cc792b612c12bf17c81f5823

SHA256
f48cd2a30ec043340a606a7ae60fbb91a7fd938be937ff08a10463734f89adc4

SHA512
aabe08bd5c849e08886916191f45384454c2f372c67f2fd3e2b8a83cd91ccf0dc48f2273838564cb02ba4d033a9fb8fd811e9371c1d0ac2713a4674493f1b62c

Download Submit
\ProgramData\GsXVM.pdf
MD5
077f36d2ffcf5ee8c2c240f73327d45d

SHA1
521d1b499a7039c4cc792b612c12bf17c81f5823

SHA256
f48cd2a30ec043340a606a7ae60fbb91a7fd938be937ff08a10463734f89adc4

SHA512
aabe08bd5c849e08886916191f45384454c2f372c67f2fd3e2b8a83cd91ccf0dc48f2273838564cb02ba4d033a9fb8fd811e9371c1d0ac2713a4674493f1b62c

Download Submit
memory/1060-9-0x0000000000000000-mapping.dmp

Download
memory/1672-7-0x0000000000000000-mapping.dmp

Download
memory/1760-4-0x0000000000000000-mapping.dmp

Download
memory/1992-3-0x00000000003C6000-0x00000000003CA000-memory.dmp

Filesize
16KB

Download
memory/1992-2-0x00000000003C6000-0x00000000003CA000-memory.dmp

Filesize
16KB

Download
memory/2040-8-0x000007FEF7020000-0x000007FEF729A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads