fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949

General

Target

fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949.doc
Size

376KB
MD5

8bef6462eaf14f26e7bc698c0324f8c3
SHA1

4deefb742406355b63fe645378f4b76cca5c2af4
SHA256

fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949
SHA512

d60801696e761690accc0588b4a9118f8ab645ece3ecbb0394e4bf4e8c6d1233033f004b408b09033dd27e36545ec9f3e76a938f558d9ab876255e46a4aec85e

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1308 WINWORD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

WINWORD.EXE

pid	process
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE
1308	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fd8fb3e11d99a6d6859132438636b7ee4b065c4d122fed6cf9ef09a8efb31949.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-54-0x0000000072D51000-0x0000000072D54000-memory.dmp

Filesize
12KB

Download
memory/1308-55-0x00000000707D1000-0x00000000707D3000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-57-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing