51f1fdf15170d27b6c36e52407bc57e614400179e93fb406eb8e8d6a1d3ecfa7

General

Target

INVOICE 589 03_23.doc
Size

526.2MB
MD5

b59808aba76dd0095aa06133382de9ed
SHA1

59aed06213b305d2877031e8ef489064ef74ca74
SHA256

2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b
SHA512

134c7c9929c277a3ec0403c2246214059d107c78c0056f8190218e0d16ded3cfaa7a4682d695f9e6212c66220cb222589c8fcd19f6ea70a00994eb06eec6566b
SSDEEP

3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	112	932	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

932 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

932 WINWORD.EXE
932 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
932	WINWORD.EXE

pid	process
932	WINWORD.EXE
932	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE 589 03_23.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:932

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132554.tmp"
2⤵
- Process spawned unexpected child process
PID:112

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\132554.tmp"
3⤵
PID:936

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PBUceV\VstIMTf.dll"
4⤵
PID:768

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132554.tmp

Filesize
505.7MB

MD5
ac31fad4a21b818d8f52e65750a2ec0f

SHA1
954e23b16ded88b1cd050ddcb09b6a5ac6c35dcf

SHA256
6f9f0b51aaa11810ded4080d39bed24ff7649bc3fccc587ced5e9398951e27e0

SHA512
c3dd380ade1962bf0affc15618784bae7a52bd4bb49386c2e6b5f94bffc79cd8012f2d681aa88c31f4c827a18578230c5f248973589c60a870d40fab9c36bd13

Download Submit
C:\Users\Admin\AppData\Local\Temp\132625.zip

Filesize
854KB

MD5
731e36761ee1a839654772084b9fc85f

SHA1
4ffe2c1a06c0eac1d50df9208ef76b5f97386257

SHA256
783a13f48c8488c14c15d83cae95bf0d251590aa530bdaf4f7381d6958dcfb3a

SHA512
6c6e75d17346709cbad2f6fbb1040363204873f0a5d1178c451a9069e602ecee4083a05706837e6d020c9dbc3d5673f26a921680cd75bdddc12d61c697ce661c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
3feec9e5f8f4200b767864059a6a8d19

SHA1
8525aaa62c2ee48d337cad29252ac052b49b926b

SHA256
d98e5693b5190b634d66ca983d95e816d1893b3dd2a580e2e3c9de08c07429dc

SHA512
d812c7ea9d717ab5cf40c9b9fe7ee7e02dd3947844a5ab321d3512365687f06a9a9e55799455de2c266edd5242d9a49bd3914d9ec85e620bdcfbbebd345c6733

Download Submit
\Users\Admin\AppData\Local\Temp\132554.tmp

Filesize
504.6MB

MD5
96afa7134449025de476a501ee68d27a

SHA1
ee883ada7173d3787b61c2a0ae674a419d729a1b

SHA256
14c70a1439ef1b159cc15fdbdb152aa87a1f8a01667019c8e6099cc7c0e23087

SHA512
f43a57d213903432e14b0b7527f37f23b68d3a60e946dad2b5eaf91e2f88edba51e000b629642a95ed5c27550b6eb2efb1ae73f118080be1ea2a34756b73d587

Download Submit
\Users\Admin\AppData\Local\Temp\132554.tmp

Filesize
505.7MB

MD5
ac31fad4a21b818d8f52e65750a2ec0f

SHA1
954e23b16ded88b1cd050ddcb09b6a5ac6c35dcf

SHA256
6f9f0b51aaa11810ded4080d39bed24ff7649bc3fccc587ced5e9398951e27e0

SHA512
c3dd380ade1962bf0affc15618784bae7a52bd4bb49386c2e6b5f94bffc79cd8012f2d681aa88c31f4c827a18578230c5f248973589c60a870d40fab9c36bd13

Download Submit
memory/768-849-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/932-77-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-81-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-63-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-67-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-65-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-68-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-69-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-70-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-71-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-73-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-74-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-76-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/932-79-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-78-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-64-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-80-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-82-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-75-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-72-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-66-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-83-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-84-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-111-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-113-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-62-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-60-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-61-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-59-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-57-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/932-58-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/936-843-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing