638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150.doc
Size

206KB
MD5

ac410c5f71d453cab00f24da3a84331a
SHA1

ba7161303e5fe757c3ab2e9f29bb9e8552a2d1d5
SHA256

638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150
SHA512

5dc488594cd524b3b87514eb19ac755daed577857f7b5f921b762c30359492bef32eaefd5012d4244085ff3455cd308d4efab632a57285c245026d9108983d8e
SSDEEP

768:uequRtGdnmCuFHaCBmMOhQ95rv0WE7wi+lGtakc/Nae4YSQ02MQem8Uqq3Slv1OE:PIruGgIe48Qe0cJVaifpYutbcHg

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

964 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

964 WINWORD.EXE
964 WINWORD.EXE

pid	process
964	WINWORD.EXE

pid	process
964	WINWORD.EXE
964	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\638c38749b79a38a18d641e3b170e7feeebba21ab3b31ca2d98c5abc5832a150.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-54-0x00000000722C1000-0x00000000722C4000-memory.dmp

Filesize
12KB

Download
memory/964-55-0x000000006FD41000-0x000000006FD43000-memory.dmp

Filesize
8KB

Download
memory/964-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/964-57-0x0000000070D2D000-0x0000000070D38000-memory.dmp

Filesize
44KB

Download
memory/964-58-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/964-59-0x0000000070D2D000-0x0000000070D38000-memory.dmp

Filesize
44KB

Download
memory/964-60-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-61-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-62-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-63-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-64-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-65-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-66-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-67-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-68-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-69-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-70-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-71-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-72-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-73-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-74-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-75-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-77-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-76-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-78-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-79-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-80-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-81-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-83-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-82-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-85-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-84-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-87-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-86-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-88-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-89-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-91-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-90-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-92-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-93-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-94-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-96-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-97-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-95-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-99-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-98-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-101-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-100-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-102-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-103-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-105-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-104-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-107-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-106-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-110-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-111-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-109-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-108-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-113-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-112-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-114-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-116-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-115-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-118-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-117-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-119-0x0000000000585000-0x0000000000589000-memory.dmp

Filesize
16KB

Download
memory/964-138-0x0000000070D2D000-0x0000000070D38000-memory.dmp

Filesize
44KB

Download