Analysis

  • max time kernel
    109s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2023, 06:41

General

  • Target

    952786590042030229132__2023-07-03_1900.doc

  • Size

    501.2MB

  • MD5

    2c87c888a9c3d39d2b751f7aa38c8c64

  • SHA1

    2dfd7cc73ccd79630ca17e0281f06fdf094b58ba

  • SHA256

    b7412cebd2b113144016959f2dba85873a3edb87c6727eac1c781b56ec447f25

  • SHA512

    66223af0f74aeae3f4997485cb590d68037d45fa243679de84d65ddb754ccd931c9890b72811e865609825daab30bd2cc2a4da4164776bd2bc90524d3730c46b

  • SSDEEP

    3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\952786590042030229132__2023-07-03_1900.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\074213.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\074213.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\USvRWNogYdVeDZq\CkYUQdJrIDEqk.dll"
          4⤵
            PID:1924
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:888

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\074213.tmp

              Filesize

              521.7MB

              MD5

              17b526011c4771fef77b0de07860ea35

              SHA1

              0b9c87e491d78b400372841095145c459f16bee5

              SHA256

              36fced0bbe2ddc463e54bc8061f8e04387aa99a48f048d98e342f3a6b4b576a1

              SHA512

              a97805fce559b849982df6f5bd04d2711ffd0943a600eca42dfd661fb099400e782f39281b0d7ffa3268b732c34eeac331885c86127314fa1847163ae494420a

            • C:\Users\Admin\AppData\Local\Temp\074220.zip

              Filesize

              857KB

              MD5

              9a4298ef5f10387c46ba81c05e978f85

              SHA1

              1aa5c8aa5449723d73d449a1d432a467f626f0bf

              SHA256

              1c85b11916ce4ddd9e71725c0e02ed164ea6019c8a245819ddc81798c324f4fd

              SHA512

              b33a36266d7113e95a1e707549c4bc9934254a007fb27883be8dfe3516e6bf461e0efd90bde05f02f1b37bcafc3c4f4958b52ef4d4f1a21311e1c85c5fead8c2

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              e4f4bd87e820ba5e3d96181078330ad3

              SHA1

              f62fd942af6185366290f91a4cdb9fa527343790

              SHA256

              a6b594710c6d77528e71ab7609b4becadd9786d9283e590b1962c636ac6141b2

              SHA512

              c5c25a5a658927918f0fba913abf4242b9b95236589f1d6730f2d164086036f3f73939096a2defce192370e54ae851d5651085f5631a4525df7ac56a93b9b4a9

            • \Users\Admin\AppData\Local\Temp\074213.tmp

              Filesize

              521.7MB

              MD5

              17b526011c4771fef77b0de07860ea35

              SHA1

              0b9c87e491d78b400372841095145c459f16bee5

              SHA256

              36fced0bbe2ddc463e54bc8061f8e04387aa99a48f048d98e342f3a6b4b576a1

              SHA512

              a97805fce559b849982df6f5bd04d2711ffd0943a600eca42dfd661fb099400e782f39281b0d7ffa3268b732c34eeac331885c86127314fa1847163ae494420a

            • \Users\Admin\AppData\Local\Temp\074213.tmp

              Filesize

              521.7MB

              MD5

              17b526011c4771fef77b0de07860ea35

              SHA1

              0b9c87e491d78b400372841095145c459f16bee5

              SHA256

              36fced0bbe2ddc463e54bc8061f8e04387aa99a48f048d98e342f3a6b4b576a1

              SHA512

              a97805fce559b849982df6f5bd04d2711ffd0943a600eca42dfd661fb099400e782f39281b0d7ffa3268b732c34eeac331885c86127314fa1847163ae494420a

            • memory/1212-241-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-349-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-133-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-160-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-187-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-214-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-217-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/1212-268-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-295-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-322-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-106-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-376-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-405-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-403-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-83-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-79-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-81-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-82-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1212-80-0x0000000000530000-0x0000000000630000-memory.dmp

              Filesize

              1024KB

            • memory/1504-843-0x00000000003C0000-0x00000000003C1000-memory.dmp

              Filesize

              4KB

            • memory/1924-849-0x0000000000200000-0x0000000000201000-memory.dmp

              Filesize

              4KB