72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73

General

Target

72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc
Size

21KB
MD5

0081b3299ae18a60a7904ada0ad0bb4f
SHA1

2973ff43efc2e1084132b4f6124a8661764563cd
SHA256

72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73
SHA512

87c6cfd0e8c93a1a4dc5051b1f6340e31343732b220d435b952c014511694f9f56e4bf0fea7cb70c2dcbc229b1626ef8ae221211284cf6a62ffa665a9eed74fc

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

WINWORD.EXE

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-54-0x00000000723D1000-0x00000000723D4000-memory.dmp

Filesize
12KB

Download
memory/2008-55-0x000000006FE51000-0x000000006FE53000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x0000000074F61000-0x0000000074F63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing