df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b

General

Target

df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b.docm
Size

69KB
MD5

584c41316433d07ee47da0d29f03d523
SHA1

e23e03a469d49e8abec172c3e6ed62dd7bb1a14f
SHA256

df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b
SHA512

dc0148dda5f543b10e1318c7038c8ee036da1439dfe3e20b321f18d3531d19e10740e81dd10308631091375d3acaaabd87e064795d2b2f4a8f639e5f1efe0f61
SSDEEP

1536:1bmVED3EOz7x0B4pNUsmNIsR+5Z5nG05BiRakr:NmV9u/aNIsonVBi0kr

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1652 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1652 WINWORD.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE

pid	process
1652	WINWORD.EXE

pid	process
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b.docm"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-54-0x0000000072581000-0x0000000072584000-memory.dmp

Filesize
12KB

Download
memory/1652-55-0x0000000070001000-0x0000000070003000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-57-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1652-58-0x0000000070FED000-0x0000000070FF8000-memory.dmp

Filesize
44KB

Download
memory/1652-59-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-60-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-62-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-61-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-63-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-64-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-65-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-67-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-66-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-68-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-70-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-69-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-71-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-73-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-72-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-74-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-75-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-76-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-78-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-77-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-79-0x000000000052C000-0x0000000000590000-memory.dmp

Filesize
400KB

Download
memory/1652-80-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-81-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-82-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-83-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-85-0x000000000052C000-0x0000000000590000-memory.dmp

Filesize
400KB

Download
memory/1652-84-0x00000000004FA000-0x00000000004FE000-memory.dmp

Filesize
16KB

Download
memory/1652-86-0x0000000070FED000-0x0000000070FF8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing