Overview

overview

10

Static

static

8

NZD119641754ZC.doc

windows7-x64

10

NZD119641754ZC.doc

windows10-2004-x64

10

Resubmissions

07-03-2023 23:05

230307-225daacb21 8

07-03-2023 22:54

230307-2vyl6aca8t 10

Analysis

  • max time kernel
    108s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2023 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NZD119641754ZC.doc

  • Size

    530.3MB

  • MD5

    a30a0a27d7d9f91339b2259909db8d9f

  • SHA1

    e579a0c503b5f717057ef8619f4a39fbbbf27a74

  • SHA256

    861389800aba82afef0d4e3f11d6cf21c64846d8ed689d1a974b16431193a6d2

  • SHA512

    9d6d9bef69fc6a2cf07916e40a9eed0dbfca5022beb281bf060376a9a9f741e1c52726e85e16f2741efa2626cf21f5680c7481f4631eac91aa0114138a260083

  • SSDEEP

    6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NZD119641754ZC.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\235901.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\235901.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DFFmGOuPue\mQbkwuaaipxN.dll"
          4⤵
            PID:340
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:968

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\235901.tmp
        Filesize

        525.7MB

        MD5

        0e5d3a4d6abae23acfa4188303cecd2b

        SHA1

        0a7980f838ad2f4875b8daa4eb572fec2a3e7913

        SHA256

        abeeec8805129592d6e24fdbb641b74989c3f6cfe944f59027484fcb367c044e

        SHA512

        6b4916731c378d7427979eac87a0ddd6651ce405b0bf277ef99ce57885c0893ee7210fea99a601d2a27bc5f587e83d3cccba634a8f16118f51498a0e7a6e5ee4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\235905.zip
        Filesize

        861KB

        MD5

        55bf4c58736e0da06b0e1652acfd073d

        SHA1

        ea589407ece093433d16cd705b0606211b4f88eb

        SHA256

        6ce0ef62a201f70b24655f88ba8cee0b74656814c3c078c5d5573af8bb9d70f4

        SHA512

        2dad6fccb606005220bb44d8e0ed3b14b47e1c9f81570a57bc22430daa5114bde843aaeb0a38aef9ba80c2d61db16eddc9164a056d04889cf2b781ab049bef99

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        1361382b4b20700fbbaf34c35c6a575a

        SHA1

        6c9a41e92b2f46f1d342a4c3165482506f3f134b

        SHA256

        ecbf69a01d9a473e0df471a7196169349e2151fee2a110e1156f146fc9c1fb0e

        SHA512

        8a9b8fd0f235d0ac97e7d7bd964f47fe2787884bfbc5e272d9924187759daee5b4454f9521733f27871c08f45cd8e3cb755b9e065263874bfd12c848ae118df2

        Download Submit

      • \Users\Admin\AppData\Local\Temp\235901.tmp
        Filesize

        525.7MB

        MD5

        0e5d3a4d6abae23acfa4188303cecd2b

        SHA1

        0a7980f838ad2f4875b8daa4eb572fec2a3e7913

        SHA256

        abeeec8805129592d6e24fdbb641b74989c3f6cfe944f59027484fcb367c044e

        SHA512

        6b4916731c378d7427979eac87a0ddd6651ce405b0bf277ef99ce57885c0893ee7210fea99a601d2a27bc5f587e83d3cccba634a8f16118f51498a0e7a6e5ee4

        Download Submit

      • \Users\Admin\AppData\Local\Temp\235901.tmp
        Filesize

        525.7MB

        MD5

        0e5d3a4d6abae23acfa4188303cecd2b

        SHA1

        0a7980f838ad2f4875b8daa4eb572fec2a3e7913

        SHA256

        abeeec8805129592d6e24fdbb641b74989c3f6cfe944f59027484fcb367c044e

        SHA512

        6b4916731c378d7427979eac87a0ddd6651ce405b0bf277ef99ce57885c0893ee7210fea99a601d2a27bc5f587e83d3cccba634a8f16118f51498a0e7a6e5ee4

        Download Submit

      • memory/340-1271-0x00000000001F0000-0x00000000001F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1060-1268-0x0000000000130000-0x0000000000131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2020-78-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-81-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-59-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-61-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-62-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-63-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-64-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-65-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-66-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-67-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-68-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-70-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-69-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-71-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-72-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-73-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-74-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-75-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-76-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-60-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-77-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-79-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-80-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-58-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-83-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-85-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-84-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-82-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-87-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-86-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-88-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-89-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-91-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-90-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-92-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-93-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-95-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-94-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-96-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-97-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-57-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-98-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-99-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-105-0x0000000000690000-0x0000000000790000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-1077-0x0000000006100000-0x0000000006101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2020-1272-0x0000000006100000-0x0000000006101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2020-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download