c6d750d9cae9fcd030fe2c95a4755e250430d5b0d9351661d9593aeaeb020d5a

General

Target

17_62561.doc
Size

525.2MB
MD5

8639c3d193b8211d1fe561b896716f89
SHA1

508d00b731259c63a1e7aaa1030e96a62f4c241a
SHA256

988d82d5b1032b465b0e0c3b60fd5f822209f4cdc9ab04de91139be98dac9ecd
SHA512

9fc1773a40eb49f063f2ecab55f91c8851f320b26918305a05a310411289c08f9053af26389e3e24195804b405a7d358facffbd720bfbc1e7996262bb4d47030
SSDEEP

3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1260	1104	regsvr32.exe	26

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1104	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1104	WINWORD.EXE
1104	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27
PID 1104 wrote to memory of 1260	1104	WINWORD.EXE	27

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17_62561.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\170350.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:1260
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\170350.tmp"
    3⤵
    PID:696
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RMixmaevgtQTehCbf\koVnXicvAQHegB.dll"
      4⤵
      PID:832
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\170350.tmp

Filesize
295.9MB

MD5
d1ed50d1b8e3ed3d1262738810309064

SHA1
1abbd21e82f795e686c366daedcc65aa3d9983dd

SHA256
378ef20e1e28ebd04eb99c21e852affb29ceddea49e25364ec87b71affdf7d48

SHA512
7bd961f8b52b8f19227f1a101de01d0731ddabc993455f1bfaaf2f29465e7da2ec883699e1fa7524475818517a84ae909a9d408902bb702625a413ee58a551cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\170438.zip

Filesize
886KB

MD5
c0bac72ad97c272fc2d150c5dbf016d2

SHA1
b899b29530ac17f23153da0a069f568fdbb44e99

SHA256
bb1664730efed30b2183adb6b265d98a2fbf12a3a0b857b5a325f7b4037a89b6

SHA512
c89f7484ef6cbaaeaeb01a1a151b431304565d4ed7f2ccbe2150d92f8d586212f9e1b7e7a0b3673c5e98f46d446c35413c52aab6610522f05b19f1aefa37d0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
20e94b46d9f6539cd3090ad072231f91

SHA1
96d40227b40c8e31775330bdfa804ac0d2154e83

SHA256
8d0101ae405a8385bd7b2b75223948ac4d1832588d6612072f224f45547d21ab

SHA512
88e2f30627c4974d26857e5274a24c133c6a83101e4ad34f4a589d75ac7710ccfd42f03115f1be11f8791386af43b32bd11ab529700b95f1bac8134464117a76

Download Submit
\Users\Admin\AppData\Local\Temp\170350.tmp

Filesize
291.0MB

MD5
bbabd127e8eb8b354cd1d9773d01521a

SHA1
e40e61512f775e38ef0f84a3996b8f05cb8c6899

SHA256
2e479b9610ee0b786adbdabed2fbb7a071e87d86efa71977eaeb9260fa5b7473

SHA512
b0fe3b5645c7d6c5964a307f0c19c758ec57bddcdcffc413b8c948c46218e0f982d18b0c8e2a822f3ba58cfdb3b01a8f0e4d02d56c93b3759be0bbfe3a2f4857

Download Submit
\Users\Admin\AppData\Local\Temp\170350.tmp

Filesize
295.5MB

MD5
aa4d2f6caf05086bb04451a2e64a678c

SHA1
51b47db57d4d4d59381f5d812e28ee359ee104dd

SHA256
df4d135955f86076dbca98c7963b0f8623b1c141aab3108c3871a78b1a0344e6

SHA512
0fcc311441500d249d098d6518dcfa00f72e1e4b9b6f853edcc7b3c2ce9253eb342f20805d39f7bef1eefb6316ddf11cf07be436937750bf92a10385d977113b

Download Submit
memory/696-847-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1104-76-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-77-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-65-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-66-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-68-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-69-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-70-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-71-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-72-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-73-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-74-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-75-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1104-78-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-79-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-63-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-80-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-82-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-81-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-83-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-67-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-64-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-84-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-111-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-62-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-60-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-61-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-59-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-58-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1104-57-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing