34fb40ba8037a55e6beafa9767b25bf9e96272e9a32ff2b88dc66d529dad2a81

General

Target

34fb40ba8037a55e6beafa9767b25bf9e96272e9a32ff2b88dc66d529dad2a81.rtf
Size

76KB
MD5

2b4b0ba685522de8398d14d540b41a3a
SHA1

a1775333979c220ffadfb0fbc30f1b11ae8e500f
SHA256

34fb40ba8037a55e6beafa9767b25bf9e96272e9a32ff2b88dc66d529dad2a81
SHA512

f90dbe910080cb1adeebc6322d3955cf8194455140bb2c8bd5f2376b07334290cbc52de5e4ce0b70d4e290e3c712b19b7acffdcda3e8690424a382527889a9ef
SSDEEP

768:Cww+/yQPu+nS+YMyvsOdRdrpDVHftZGPkVUGwX31+1vZnKuYHx+CTgNEwsN9TX8B:+uu+nS+OLpDVHPYgUJHEc/xgdUTo19X

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1424	1552	DW20.EXE	27

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1552	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1552	WINWORD.EXE
1552	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1552	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1552	WINWORD.EXE
1552	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 544	1552	WINWORD.EXE	28
PID 1552 wrote to memory of 544	1552	WINWORD.EXE	28
PID 1552 wrote to memory of 544	1552	WINWORD.EXE	28
PID 1552 wrote to memory of 544	1552	WINWORD.EXE	28
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1552 wrote to memory of 1424	1552	WINWORD.EXE	31
PID 1424 wrote to memory of 1812	1424	DW20.EXE	32
PID 1424 wrote to memory of 1812	1424	DW20.EXE	32
PID 1424 wrote to memory of 1812	1424	DW20.EXE	32
PID 1424 wrote to memory of 1812	1424	DW20.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\34fb40ba8037a55e6beafa9767b25bf9e96272e9a32ff2b88dc66d529dad2a81.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:544
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1184
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 1184
    3⤵
    PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7173518.cvr

Filesize
812B

MD5
7b4f44c1648059ba62847a80886ad3b1

SHA1
4a35c9133f455955ea21a6ec73379067df8fec5c

SHA256
9eeff5fc30e7882155cf73b08f96dbe111aae2db2ed6ac8c721c942c6a0e44ac

SHA512
1fc9d37dd433c647df33fde53074a747d91be8809af5ab075c59f3e3fa103ea08e06849c092dc0ba7d10e7da8d401c8aa337aab07bd33e4b7107ee61124700c5

Download Submit
memory/544-60-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1552-54-0x00000000720C1000-0x00000000720C4000-memory.dmp

Filesize
12KB

Download
memory/1552-55-0x000000006FB41000-0x000000006FB43000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1552-57-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1552-58-0x0000000070B2D000-0x0000000070B38000-memory.dmp

Filesize
44KB

Download
memory/1552-61-0x000000006B251000-0x000000006B253000-memory.dmp

Filesize
8KB

Download
memory/1552-62-0x0000000005190000-0x00000000052EC000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing