7c4713eddafabe7a1cf608a4dbd647a6767f1f38c3e093efdc534ce408d2e63c

General

Target

7c4713eddafabe7a1cf608a4dbd647a6767f1f38c3e093efdc534ce408d2e63c.rtf
Size

86KB
MD5

01830fe4651a03ab1d6dcb03a542adda
SHA1

4d274e74b6ae1269cc130b0ecec86d5578f0377c
SHA256

7c4713eddafabe7a1cf608a4dbd647a6767f1f38c3e093efdc534ce408d2e63c
SHA512

f0d54dd5f014af6b122237cd66d7fc9eeed7df51913f32f67ac277fd2a912e2eee4d797fe5423586602bbad26e5c32db30f273dec4b156c7b8e2847cd9d72308
SSDEEP

1536:UTDfWIALOpI4NIih6ztAgyjfZ/1whG3a0EFN:HIALOpIh/tAgyjftl4

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	556	1996	DW20.EXE	27

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1996	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1996	WINWORD.EXE
1996	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1996	WINWORD.EXE
1996	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 864	1996	WINWORD.EXE	28
PID 1996 wrote to memory of 864	1996	WINWORD.EXE	28
PID 1996 wrote to memory of 864	1996	WINWORD.EXE	28
PID 1996 wrote to memory of 864	1996	WINWORD.EXE	28
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 1996 wrote to memory of 556	1996	WINWORD.EXE	29
PID 556 wrote to memory of 892	556	DW20.EXE	30
PID 556 wrote to memory of 892	556	DW20.EXE	30
PID 556 wrote to memory of 892	556	DW20.EXE	30
PID 556 wrote to memory of 892	556	DW20.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7c4713eddafabe7a1cf608a4dbd647a6767f1f38c3e093efdc534ce408d2e63c.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:864
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 984
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 984
    3⤵
    PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7127950.cvr

Filesize
812B

MD5
434f80e26202597981218773e5d468e8

SHA1
74e651fe8a0bdd80ba341d1e0b5106ed8acaac57

SHA256
a06e8d97ec2b3978fbae4ca8bda0d9370d466935a2a419d648aff02446c899bf

SHA512
bab6b9fbaa2fc41ac254e4d33416ba73badf22b86c2f59c884fecbacb97eef487d194a7ef579a4442a056d31f56ceaa36204dcc5d0b8e3c448d9a49f3923b4aa

Download Submit
memory/864-60-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/1996-54-0x0000000072F41000-0x0000000072F44000-memory.dmp

Filesize
12KB

Download
memory/1996-55-0x00000000709C1000-0x00000000709C3000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-57-0x00000000719AD000-0x00000000719B8000-memory.dmp

Filesize
44KB

Download
memory/1996-58-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1996-66-0x00000000719AD000-0x00000000719B8000-memory.dmp

Filesize
44KB

Download
memory/1996-67-0x000000006BA71000-0x000000006BA73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing