cb638551632b271c9993266834e78a2c9a64a4b9deb8590497b0901f1044e6ff

Resubmissions

07-03-2023 21:18

230307-z5p2nabe8y 10

07-03-2023 20:15

230307-y1kqpsbg32 10

07-03-2023 12:20

230307-phtffshc7w 10

Analysis

max time kernel
24s
max time network
95s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-03-2023 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE VL18998 07 March 23.doc
Size

506.2MB
MD5

a57a44cff1336300bbe9f2508cf19e65
SHA1

4de86fa9897363f5444105a34c6ae6982cfd4c2c
SHA256

cb638551632b271c9993266834e78a2c9a64a4b9deb8590497b0901f1044e6ff
SHA512

10413498e5248246da88dad27f7cedf1ad65f7cc94e10a470d65ec3cab000ed53b0e07ae226de7960842f509b54aaa2f2d6f74dd51dcb6b010d0d30362cba493
SSDEEP

3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1932	1336	regsvr32.exe	26

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1336	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1336	WINWORD.EXE
1336	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE VL18998 07 March 23.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1336
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132245.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:1932
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\132245.tmp"
    3⤵
    PID:1956
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NNNmGbqzpmJww\BiSgfNncoyEAQL.dll"
      4⤵
      PID:548
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132245.tmp

Filesize
546.7MB

MD5
88c37dca6593eed5b057a068bcfefe6a

SHA1
450920c2a5f4f3375103fc6a52c61362a67b5a40

SHA256
e34f283e6c42994ac9075cde8a341480f9d0a8f85097f8de3b6b4a959bf8c2c9

SHA512
7d8cfb4da0fcd73ae923b32fecae2ff2ce233a5ad5ae0e112440e44569605895c372b5d11c76ac496ec05ceac29a8c224246325ecf55bef2efef5dee3d4de8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\132255.zip

Filesize
895KB

MD5
0da553b8e94586775982d109d55c3164

SHA1
5f212ff3f80f7b37e4d2fcce68af52db8632a3c3

SHA256
83a3d3e42d62c998eee118d60fcdf6a96ae44e276d8dd92f07496237acc49883

SHA512
e5c483fe3728581b3a1a40a049b286f6312ab81847f36de40f1fa8d67e94eb62b7a526c6bbc246d421e928e5fc7053aa88cd88758c7ed5c46605f704ec1a6dc5

Download Submit
\Users\Admin\AppData\Local\Temp\132245.tmp

Filesize
527.0MB

MD5
88daa3429e16ee4c20b1e552361197b0

SHA1
8067a3fa1c2225f40b9e95bd80ba149bfb6fcf34

SHA256
0bbed65de096b623925d32b249ecf435073f3c64dc29c7700c3056127afee312

SHA512
6a246691cc46d907183d8bd4b753df11f386b2ac191aa173e4a09dbcb5dcf473bb6064fbb20ccc5625c3d96d9da7daa757abd88ad7c62962f9d05e9728602105

Download Submit
\Users\Admin\AppData\Local\Temp\132245.tmp

Filesize
546.7MB

MD5
88c37dca6593eed5b057a068bcfefe6a

SHA1
450920c2a5f4f3375103fc6a52c61362a67b5a40

SHA256
e34f283e6c42994ac9075cde8a341480f9d0a8f85097f8de3b6b4a959bf8c2c9

SHA512
7d8cfb4da0fcd73ae923b32fecae2ff2ce233a5ad5ae0e112440e44569605895c372b5d11c76ac496ec05ceac29a8c224246325ecf55bef2efef5dee3d4de8cb

Download Submit
memory/548-848-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1336-268-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-322-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-133-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-160-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-187-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-214-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-241-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1336-295-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-106-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-349-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-377-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-376-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-403-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-83-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-82-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-81-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-80-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1336-79-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1956-843-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download