8c9068ba10a1e96dfbff0d53492dc251f0d203ff01eed75f7661a918cfff7d34

Resubmissions

08/03/2023, 02:21

230308-cs4mysde97 8

08/03/2023, 01:53

230308-ca7lwsch8w 10

Analysis

max time kernel
22s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/03/2023, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-03-08_1035.doc
Size

517.3MB
MD5

bcae0aca1a3b2df9d5e85de2ed3666e9
SHA1

f56c3b72b7e8c55b9685e35765553fafbbb08e2b
SHA256

5a092b0034f937f68ad7e5679ed840039fb824df8cad8f74b890cb7f4e42f0cd
SHA512

4162200952e62402a6085ae5f1342a5b35d59f52a5ddf54d9eea3d318f62df9ca308cfc3e079cca484ab38af1ed17fa68fe9ad0c9541ff483aa3de20fff44afa
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1328	1268	regsvr32.exe	25

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1268	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	WINWORD.EXE
1268	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1268	WINWORD.EXE
1268	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1035.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1268
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\015422.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:1328
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\015422.tmp"
    3⤵
    PID:1776
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\THfxnKOtUyOumn\uyXn.dll"
      4⤵
      PID:1796
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\015422.tmp

Filesize
212.8MB

MD5
97bb8d571410e5cf7fb504d09b08ff94

SHA1
aa0970c70df4bec9fb8413562f0eed033b36af53

SHA256
cf0b1b9249f86b30a2ee125569f2c2656c609a3c3691be2912aace3722d4f762

SHA512
515ab73283a658a263283de8a4038560206d93983d2a2ab05664e9a1767e05af264ae05f047418f9614cf0668e970b6080a5b8b66e1c3aed2c7a39525032299a

Download Submit
C:\Users\Admin\AppData\Local\Temp\015426.zip

Filesize
875KB

MD5
ec0b4c8e920c852946a0d690ee2cd586

SHA1
cb41f39dbe450baf40f9fbb4b1ec4e0607f1ae5a

SHA256
80149f6492b1d711bd03b600f2199f7a3db402acf72f4b48afd7dfe04fe5e57b

SHA512
0a60f530f26dc279f24f0a4792407f0055173a55cc6cec30ed49a3212a931cd36ebc38ad5da5cc00af53f41c8023ea3140d5c5c1c29fd1451457814e8f8f51a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6ad6dc8b9f6b5a835cf9fa401501074b

SHA1
5d5876823c86eebe92b45aae62adc990ef3c519d

SHA256
0fe0a0d880ff7ff7ff8452e8572c935aa3449b52ac91967fdf90e6a01f1e009c

SHA512
e84201fcf6c48b85a4085a98b9b1c2c78e991d3ef0d4308e4c36d5c8f1cadfb1c2078885b3a409fdd7ea5a4852b9f264f1b8f343eb216b062388d569f9bcabd2

Download Submit
\Users\Admin\AppData\Local\Temp\015422.tmp

Filesize
210.3MB

MD5
2495d3979b46b0c508f1dbbeb9dedcbe

SHA1
d2ac76f7c5250fc45c9d6a51d2c821768caf8ec7

SHA256
311c2590931f98269bc8e221d11464495bdc649e16f46842eca734fed3b14265

SHA512
d3e836060c4d9eae13dd06412d2cb13a0b201326ced3ecd086fe6dfa4ef2614967a1bf231794567ff5607b301b5ea66a51c34bb9d2afef123dbe1e8945cb5011

Download Submit
\Users\Admin\AppData\Local\Temp\015422.tmp

Filesize
213.2MB

MD5
a093e4d996f85748947f6864e7a67e89

SHA1
883b8e083aeeb75c28372ff770a0236da1bbd8d2

SHA256
7c056f21a5b99031e673cc07ce62f694d1bc7ccf7423810eb8ae9199c2aca5de

SHA512
f2b74522540c1b2808966cdb5eed772be824f0827dbcde4bd74816aee47f6da0b2acc95f69ac78b4cc424acf2efdbd24769beaf0f77f54a80d75e7bf211aba1c

Download Submit
memory/1268-77-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-66-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-59-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-61-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-60-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-62-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-63-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-64-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-65-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-69-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-68-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-70-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-81-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-67-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-72-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-71-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-74-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-73-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-75-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-76-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-78-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-57-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-58-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-79-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-90-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-84-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-83-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-82-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-87-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-89-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-88-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-80-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-86-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-85-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-92-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-93-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-95-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-96-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-94-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-91-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-99-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-98-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-97-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1268-1077-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1268-1270-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1268-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1776-1268-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download