6ace4ddf63aa8d54b60f01e6aaa4638c27b49dfc64a707e35c004eee09de1c7f

Analysis

Target

范伟打天下招财宝辅助/打天下.docx
Size

14KB
MD5

162ed8f97d07ab7d5fc0247a3882214e
SHA1

25d9d1beb6cb9ad827bc6eb91473466a4b3c9396
SHA256

dd16d6e9fc980e69ead21f86fe118f68060cb72df78c638cd24227042153eecb
SHA512

1d88cf0ab9bd9e9dd4654eaeb2ee3eb9ae2a2ec7a3abd06593d230df5ca3148b945976fde932fcf141f7dc61c2c00f59f7ca43802ddb47ea53ce37b9f5be22d7

Score

1^/10

Modifies Internet Explorer settings 1 TTPs 6 IoCs

Modify Registry

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\范伟打天下招财宝辅助\打天下.docx"
1⤵
- Modifies Internet Explorer settings
PID:1120
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1968

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1120-54-0x0000000072AC1000-0x0000000072AC4000-memory.dmp

Filesize
12KB

Download
memory/1120-55-0x0000000070541000-0x0000000070543000-memory.dmp

Filesize
8KB

Download
memory/1120-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1120-57-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/1120-58-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1120-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1968-59-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download