7df11aa42a30d550a3fba77ed9fc353108f4cac53a2dac6f29a6534dd0ecbd06

General

Target

INV-1581.doc
Size

149KB
MD5

470b5f77bd00e2002939833ab72ad47a
SHA1

540fb80aae64faccbb47ced4d4ec57448ca4297e
SHA256

7df11aa42a30d550a3fba77ed9fc353108f4cac53a2dac6f29a6534dd0ecbd06
SHA512

69a569c079bf78693d751d3834f94888de5f3276b69d9eb63c09bec678335dbb0740337d87646ea26325851d2e4754c881d7c7512520d5831468bc07a84f6b55

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exeexplorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2044	892	explorer.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	268	892	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 1768 WScript.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
5	1768	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

892 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

368 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

892 WINWORD.EXE
892 WINWORD.EXE

pid	process
892	WINWORD.EXE

pid	process
368	explorer.exe

pid	process
892	WINWORD.EXE
892	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEexplorer.exe

description	pid	process	target process
PID 892 wrote to memory of 2044	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 2044	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 2044	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 2044	892	WINWORD.EXE	explorer.exe
PID 1984 wrote to memory of 1768	1984	explorer.exe	WScript.exe
PID 1984 wrote to memory of 1768	1984	explorer.exe	WScript.exe
PID 1984 wrote to memory of 1768	1984	explorer.exe	WScript.exe
PID 892 wrote to memory of 268	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 268	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 268	892	WINWORD.EXE	explorer.exe
PID 892 wrote to memory of 268	892	WINWORD.EXE	explorer.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV-1581.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\healthother.vbs
2⤵
- Process spawned unexpected child process
PID:2044

C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\agoright.exe
2⤵
- Process spawned unexpected child process
PID:268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\healthother.vbs"
2⤵
- Blocklisted process makes network request
PID:1768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agoright.exe
MD5
62962daa1b19bbcc2db10b7bfd531ea6

SHA1
d64bae91091eda6a7532ebec06aa70893b79e1f8

SHA256
80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

SHA512
9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\healthother.vbs
MD5
552f3e780bb97a3f81a732d5e26e2474

SHA1
bfddf68ec2daf167f212a0157b258ead3827ca47

SHA256
c711528dad5f1237a870ac01a6657579ac276dd30b0904aa0d4bcb795678d2ab

SHA512
1fe1db760854d0182c20d80ae98a19679aee1760a508ddbc31eb3b9081f4d105259028dfcd14d08d7d3bfba2670685d896aa642cd630947fd58dd66b417da2a0

Download Submit
memory/268-15-0x000000006B0E1000-0x000000006B0E3000-memory.dmp

Filesize
8KB

Download
memory/268-13-0x0000000000000000-mapping.dmp

Download
memory/368-18-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/892-3-0x000000006FEB1000-0x000000006FEB3000-memory.dmp

Filesize
8KB

Download
memory/892-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/892-2-0x0000000072431000-0x0000000072434000-memory.dmp

Filesize
12KB

Download
memory/1096-11-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

Filesize
2.5MB

Download
memory/1768-12-0x00000000025E0000-0x00000000025E4000-memory.dmp

Filesize
16KB

Download
memory/1768-10-0x0000000000000000-mapping.dmp

Download
memory/1984-8-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/2044-7-0x000000006B251000-0x000000006B253000-memory.dmp

Filesize
8KB

Download
memory/2044-6-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/2044-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads