8014c0158f80dd74af4b84df47bd058a8b14ec874b74cdfa765ce592f3db4e85

General

Target

info (2).doc
Size

36KB
MD5

fed40d2c7fd54c4bb79af4d7aeed141e
SHA1

ffa20af1ec10ac49e54526205e1b168508b72f77
SHA256

8014c0158f80dd74af4b84df47bd058a8b14ec874b74cdfa765ce592f3db4e85
SHA512

6a8a75818b7dc06d2696819b350f1af0521d5e070d7cc3f3560dbd1f9c68e3dfbb5ca4e9c6cf48959418468d8377fc6d78585a9e152f704fcce09ba0158f54e0

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWINWORD.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000715f794202832f409df8a5c7f77c048e00000000020000000000106600000001000020000000ef6690661a96ae36e0ac81917366e5e6e07402d38a31a9462db56a57b9f20b98000000000e8000000002000020000000954235e64112e93965e5e5c265a4a4532e2118035a1188bd5162e92e7c2f52d0200000000aaaf1abf717fdf3a48dc05c31d6ff620284a0fde9fb725327a07815e25c163c40000000ac459ddc5d4853b1e0d5428a3123ebcd8e9dfb34249c658e64f9f71373c903632c8511aad38e771f0e7c520167278a6aeacdc1738c4ac88f0cd8c4ce58ed86ce	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B06EC851-80BF-11EB-A016-EE401B9E63CB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000715f794202832f409df8a5c7f77c048e000000000200000000001066000000010000200000007692ff1a77c147a4d7f142e1a09fa2b4f34d63e5003aedd263460828238a1229000000000e80000000020000200000004835d374c03cf95ccb11d8b81796f5d88a2117cdc5898486d2e6f316bf89f27b90000000dc01d1b85c89c4ffe660ac2e2309986ec8c8fbd636f422ff00c62a4b771346326f5fc4597ee3093922348959363cde1a16240d6aebce18d0fd8081b229e36ee8a6f7d76f3a6d936a5664b7e1b04f83932eb00dd198206c4bc6dc4db7e223e64eebb4b54a230bfd5568f76d4ea706de44f36d15171d1cb8757bb91288df1e8641c1b15b13136e050b694db164501da711400000007ca1230db0c2b3eeae569f1a8c0a31541c3838d338736708f950902ec85bd0934c5843cc67f56a83cdd83609b99331f865242aeb817d305bd7bc628c0e7af6cb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e043a987cc14d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

372 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1776 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXE

pid process

372 WINWORD.EXE
372 WINWORD.EXE
1776 iexplore.exe
1776 iexplore.exe
1324 IEXPLORE.EXE
1324 IEXPLORE.EXE

pid	process
372	WINWORD.EXE

pid	process
1776	iexplore.exe

pid	process
372	WINWORD.EXE
372	WINWORD.EXE
1776	iexplore.exe
1776	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEiexplore.exe

description	pid	process	target process
PID 372 wrote to memory of 1180	372	WINWORD.EXE	splwow64.exe
PID 372 wrote to memory of 1180	372	WINWORD.EXE	splwow64.exe
PID 372 wrote to memory of 1180	372	WINWORD.EXE	splwow64.exe
PID 372 wrote to memory of 1180	372	WINWORD.EXE	splwow64.exe
PID 1776 wrote to memory of 1324	1776	iexplore.exe	IEXPLORE.EXE
PID 1776 wrote to memory of 1324	1776	iexplore.exe	IEXPLORE.EXE
PID 1776 wrote to memory of 1324	1776	iexplore.exe	IEXPLORE.EXE
PID 1776 wrote to memory of 1324	1776	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\info (2).doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1180

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-2-0x0000000072881000-0x0000000072884000-memory.dmp

Filesize
12KB

Download
memory/372-3-0x0000000070301000-0x0000000070303000-memory.dmp

Filesize
8KB

Download
memory/372-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1180-5-0x0000000000000000-mapping.dmp

Download
memory/1180-6-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

Filesize
8KB

Download
memory/1324-8-0x0000000000000000-mapping.dmp

Download
memory/1324-9-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1804-7-0x000007FEF6350000-0x000007FEF65CA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing