Analysis
-
max time kernel
22s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 06:16
Behavioral task
behavioral1
Sample
2023-03-08_1509.doc
Resource
win7-20230220-en
General
-
Target
2023-03-08_1509.doc
-
Size
520.3MB
-
MD5
f5e7227c77fac1e1fd2dd02c74f142e6
-
SHA1
c2f88e9be84a1d93e053854d662082189ad59e55
-
SHA256
b2bb80310dca2ee1127f4723ca27cf6a59f0243760e139f6f108cdb692b795f7
-
SHA512
73d0ca98f6e1f7a04772e84b95753d11bbf22496404d5dc1ba1bf3fec367efad65e60d5bba82be8993af1b99830b83f9345b411f092984b495bc34f3eb4ebd42
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1648 1636 regsvr32.exe 26 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1636 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1509.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1636 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\072025.tmp"2⤵
- Process spawned unexpected child process
PID:1648 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\072025.tmp"3⤵PID:1484
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\LQYiQwNmulLFNhtNt\lhWp.dll"4⤵PID:1620
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517.2MB
MD5e1b2d20c8bdc29f4b998d80ac9a4dd3e
SHA125e3ecb94527fd6d891ddaca38905aea7da34144
SHA256b683b0147646504a5cafa3a5c235eed86371c3d2640401bafed47c28629b1ef8
SHA5123dfd8657130ba08a66f359d89c420892efe05672e9aa3dfadaef6bbce5903aacb32be59a38076c839e18d8712325bd2e85e563d6c4a4f05c10a4cb1f266467e7
-
Filesize
872KB
MD5d5700e1ee975acb953e76eac021dc57d
SHA1a5e008828774992d42ddd66a00cda20e0d29b4a6
SHA256e184e3130db13b0f2c4079a7d19e669f1873a7029f79fc928f07829007dbaca8
SHA5120a1e10ded8a5dc96776571afbd84b735fac9b7c3baa2acaa576d26edf6cf81cfa28ebdcbba00ba70c99c655f49ed78ff1202ceed22425c92ec441df740edc7c5
-
Filesize
20KB
MD5c30f7745c2fb9cdf4565da087a63aafa
SHA1a161c02e1d5ea51ea83c4eab99f0ba3fe7e233f5
SHA256c42d8a602c788c6924ba9b59320d2c4944fda247ac0e4cbe63e1aae9af5c04ad
SHA512d4cef71f64fbf95aaf0d3b469f1d70e64e1c2ca8ccb79fc7a0e53389c71f0baad2b046bbb7ff8d2545283b5122f97f19cd85a555821ab2de83b40c1650870f62
-
Filesize
499.4MB
MD5a34bfb95e5e1ecb024e8c69baef691c4
SHA11591af6f0191e9d9fcbe62cbd98d1afbc5e281db
SHA2564de9469e98b53a2b151f2c8ea3d69fca77d53e13efb55ef2aeab5e1d49f4be7b
SHA51247c6fb422971a25d4f50e2544aa6362a6ea29211eee5cc3c773523adef2e29c9348cef2d432329f1055194acbf79f787690f13914b379f8450b924f0cf06102d
-
Filesize
447.6MB
MD55e24f0b1c4646d5e68cae44b7ac973a3
SHA1e08e20c2ac56156badaaf10f9afe32aa61135ba9
SHA2561d8776b07c090119a91d735d8ea0f83806758759c4c15fc7f452f325ac112434
SHA512eab99651fc0c29e13823fe5094026528a883520d90a5cbd40f25646e440538c7e1ca0ddd461b3958f4850b53b551c72d0ffe17a1e7cc7dfa4e3962f03fd80332