acf196f673746a742cc77ab864e0a81c2ac85200bc33ee27543e7d4c257ecdea

General

Target

acf196f673746a742cc77ab864e0a81c2ac85200bc33ee27543e7d4c257ecdea.rtf
Size

373KB
MD5

d1e8c1498d56e7da0e8fc0671b5ab2b5
SHA1

8276facc6ef40df6385dd3dd49e41848228c7735
SHA256

acf196f673746a742cc77ab864e0a81c2ac85200bc33ee27543e7d4c257ecdea
SHA512

4c2d96882d9e2806c3f83b5d9382d11f87eedbf351345fc887d41a5f07af976fa2bca9f3491315f73533c75c8aadfd8a315f79a41b5d158a7760b27c2e3bcc40
SSDEEP

3072:2S3COPNhY0WulaBX+g3iXHfEPsOMf0ReLwtKnMht197h5IbS9MP2BwxPSmqO5G5/:r/Z1Od5IbS9MP2BGfBrDBPZvzjZU1

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1928	1240	DW20.EXE	18

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1240	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	dwwin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1240	WINWORD.EXE
1240	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1492	1240	WINWORD.EXE	27
PID 1240 wrote to memory of 1492	1240	WINWORD.EXE	27
PID 1240 wrote to memory of 1492	1240	WINWORD.EXE	27
PID 1240 wrote to memory of 1492	1240	WINWORD.EXE	27
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1240 wrote to memory of 1928	1240	WINWORD.EXE	28
PID 1928 wrote to memory of 1260	1928	DW20.EXE	29
PID 1928 wrote to memory of 1260	1928	DW20.EXE	29
PID 1928 wrote to memory of 1260	1928	DW20.EXE	29
PID 1928 wrote to memory of 1260	1928	DW20.EXE	29

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acf196f673746a742cc77ab864e0a81c2ac85200bc33ee27543e7d4c257ecdea.rtf"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1492
- C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
  "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 928
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 928
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7091165.cvr

Filesize
776B

MD5
21d63acfb0f10416197f1eeecd06d1f7

SHA1
9d7dd43f7c1262fba50c94abd3381e6a353da18e

SHA256
e3c31bdb50cc2eb461558d9aa69b626672dab5d0aeb371e28f1506bd2173eb17

SHA512
6bc4d63e4d9e297932c8678c1be6c2f5ad2a154870b839a94e4da706c0cd65f65ea42835d0043a3039c9a622fa102e96b29cec6cfc5cf864e592cbe237f15e88

Download Submit
memory/1240-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1260-60-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1260-61-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing