Resubmissions

08/03/2023, 04:45

230308-fdxsmsea83 10

08/03/2023, 04:40

230308-farr8ade91 10

Analysis

  • max time kernel
    115s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20230220-es
  • resource tags

    arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    08/03/2023, 04:40

General

  • Target

    DETALLES_2562.doc

  • Size

    540.2MB

  • MD5

    5044553467b5553505acb52ce47e92c7

  • SHA1

    74688fc37b7ca6938ff26ba73b0433f4f61eb41b

  • SHA256

    2a5d629a4645bf7e5a38f790f411fdbc96fa0ca814d04d27892421993caf4adb

  • SHA512

    8b4d9360e0099b7d73c0aa90e0f09f0f2f15fdf993b9f7f79ebf0f304c4f374e054bdb2e2c30593c592ac6f24938e219be40fe7447b3c76d32ac5cdd59bde6da

  • SSDEEP

    3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DETALLES_2562.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\054124.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\054124.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XSYljZexDxraaqoka\eAZxdx.dll"
          4⤵
            PID:1632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1588

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\054124.tmp

              Filesize

              530.7MB

              MD5

              312594d8c22456b03982d9744cf55cb0

              SHA1

              57e6ba85118338d5f695405bb64c4ecaf5f2dae2

              SHA256

              efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc

              SHA512

              92bd3244cc00ef6933e4adbc24f3cdde4660f943d725c69f0b4090b623c9071f5d16cdf69d14c7d44507fd8a9420db567ae819bfbee388c09c9c76158cef2834

            • C:\Users\Admin\AppData\Local\Temp\054133.zip

              Filesize

              866KB

              MD5

              747b20f9e5d20eca7807a57267affcec

              SHA1

              3ab0ed51172202b8e1482f84a96d305696c62c74

              SHA256

              f5489b7483ce83c1492066bb7ab4d9ced5e11f3c98a8d555360b97fa8cc2e4b6

              SHA512

              73cba221c17f51fb180e5f641022b1577e72d1e3b42cc7c125386f50619e529fec162e549d1412ebb6939663a1f9d09b81eb9147280fe8d9ed83ed160fa12af1

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              423c6aead2bd5cf36d693220128e3a09

              SHA1

              fc43b04058bb1ba545a2552c737e70ca7e8485f6

              SHA256

              d388be4b71e95240a5cce12a9a54fda3131dbd7f8d05c0ec788513572f23a271

              SHA512

              67b20f685c336d5f99dc9694923bfd787d1b553ebcd31d326b862491e918028968a5f3b6262dbf1d86bb1c7f3c96b20a8c4fe70c87234918f2cae9202d991707

            • \Users\Admin\AppData\Local\Temp\054124.tmp

              Filesize

              530.7MB

              MD5

              312594d8c22456b03982d9744cf55cb0

              SHA1

              57e6ba85118338d5f695405bb64c4ecaf5f2dae2

              SHA256

              efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc

              SHA512

              92bd3244cc00ef6933e4adbc24f3cdde4660f943d725c69f0b4090b623c9071f5d16cdf69d14c7d44507fd8a9420db567ae819bfbee388c09c9c76158cef2834

            • \Users\Admin\AppData\Local\Temp\054124.tmp

              Filesize

              530.7MB

              MD5

              312594d8c22456b03982d9744cf55cb0

              SHA1

              57e6ba85118338d5f695405bb64c4ecaf5f2dae2

              SHA256

              efcf59f4423df8fdacbfa8c3d23b6a3e4722bab65c31ea8a7f32daadddfa7adc

              SHA512

              92bd3244cc00ef6933e4adbc24f3cdde4660f943d725c69f0b4090b623c9071f5d16cdf69d14c7d44507fd8a9420db567ae819bfbee388c09c9c76158cef2834

            • memory/1164-76-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-78-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-65-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-67-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-66-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-68-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-70-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-71-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-72-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-73-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-74-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/1164-77-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-64-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-75-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-69-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-63-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-58-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-84-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-111-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-62-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-60-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-61-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-59-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1164-57-0x0000000000280000-0x0000000000380000-memory.dmp

              Filesize

              1024KB

            • memory/1632-845-0x0000000000170000-0x0000000000171000-memory.dmp

              Filesize

              4KB

            • memory/1936-843-0x00000000000C0000-0x00000000000C1000-memory.dmp

              Filesize

              4KB