General
Target

attachment20220623-9352-39vkb5.docx

Filesize

15KB

Completed

23-06-2022 15:06

Task

behavioral1

Score
4/10
MD5

ffb80cb38f5d800f795caa6d680ced91

SHA1

edec203339855f1566b458552ce020555d1ca759

SHA256

8034e9d89e50c54569328c996b351e5a341558f433b4e7e491c3a78ef5de302a

SHA256

241c09eb900243c70c06c341f213471bbbe7f0b64c9dd3006136daf5de66e59f2b857e28c7d6582c0a790a57db4e43462fcafea7a1c2de9e76fc6959b3ad7f80

Malware Config
Signatures 7

Filter: none

Defense Evasion
  • Drops file in Windows directory
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\Debug\WIA\wiatrace.logWINWORD.EXE
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings
    WINWORD.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteWINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMANDWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\ToolbarWINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExtWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"WINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\commandWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML EditorWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMANDWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shellWINWORD.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shellWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML EditorWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\commandWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"WINWORD.EXE
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelWINWORD.EXE
  • Modifies registry class
    WINWORD.EXE

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exeWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexecWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft WordWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"WINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\EditWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\PrintWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfileWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topicWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\PrintWINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\PrintWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexecWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\EditWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\commandWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htmWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"WINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIconWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\commandWINWORD.EXE
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandlerWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old IconWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\editWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfileWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft ExcelWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exeWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"WINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\applicationWINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"WINWORD.EXE
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"WINWORD.EXE
    Key deleted\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\commandWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\editWINWORD.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\commandWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    948WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    948WINWORD.EXE
    948WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 948 wrote to memory of 960948WINWORD.EXEsplwow64.exe
    PID 948 wrote to memory of 960948WINWORD.EXEsplwow64.exe
    PID 948 wrote to memory of 960948WINWORD.EXEsplwow64.exe
    PID 948 wrote to memory of 960948WINWORD.EXEsplwow64.exe
Processes 2
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\attachment20220623-9352-39vkb5.docx"
    Drops file in Windows directory
    Modifies Internet Explorer settings
    Modifies registry class
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:960
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/948-54-0x0000000072541000-0x0000000072544000-memory.dmp

                        • memory/948-55-0x000000006FFC1000-0x000000006FFC3000-memory.dmp

                        • memory/948-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

                        • memory/948-57-0x0000000074F21000-0x0000000074F23000-memory.dmp

                        • memory/948-58-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

                        • memory/948-61-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

                        • memory/948-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

                        • memory/948-63-0x0000000070FAD000-0x0000000070FB8000-memory.dmp

                        • memory/960-59-0x0000000000000000-mapping.dmp

                        • memory/960-60-0x000007FEFB971000-0x000007FEFB973000-memory.dmp