Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2023, 06:53

General

  • Target

    form.doc

  • Size

    509.3MB

  • MD5

    48a64e3f96c122410578caf6e70329b9

  • SHA1

    57a464d3735eb91850c56be1462c22c5bec57996

  • SHA256

    8d4427329c8bde96652807caa270a0950be8f917076cb1c5bb893995c995a5ac

  • SHA512

    1a5f6926e5ca27fcbf372ed3b9f5348550a77161e76662d6865d2e5b30124326e3356a93c6f8a516baa0c3c63b2fccbc52a3a6af5a1c1cd050bf35cde6b4874a

  • SSDEEP

    6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
  • Modifies registry class 43 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\form.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\075429.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\075429.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1560
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KwJDGTQXOojYAHwdY\nXjeneOHykGkBu.dll"
          4⤵
            PID:300
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:112

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\075429.tmp

              Filesize

              456.6MB

              MD5

              f9d2c9e31f29c24c240d8db4857fb187

              SHA1

              811afec2d2beed880c87daa4fcfd679522672bc6

              SHA256

              3bdd9e4e04591f6f28a5ffdbc006bed2e75a235b97fbd1e4ec431fa8b1c6041c

              SHA512

              22c01329b354d172316ec4cc44076d9ef9a73459a9a08c458a3bb7e7f8b78c7f374854faa3c0cec923b173508dfec9edd00923766026eea7af8b92496d798265

            • C:\Users\Admin\AppData\Local\Temp\075433.zip

              Filesize

              882KB

              MD5

              d347a9e713947d67f6f575738ef07cd7

              SHA1

              f51f3983960517b07bb97f5ba5495480a31c8c0f

              SHA256

              22babdda065e864cc6309f90833994a36353ae21d3a7be6e3aafaf51024448f0

              SHA512

              5aef4fe8dbf87c3ff7e11af5e76912ef4e91e51246935132ee38a404c1f86cc464b527c2d47750930472121a23d1741e7c8e57f5ce41904af0d065bf6555a651

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              e3ada3faffe5af2cde3f67621977c9d2

              SHA1

              ea3e9f88152f1c46ed1ef95e501f1504f9dd2504

              SHA256

              f68b9133ebdd2b693a3e4baed71f69c3ba22beb8bcbdd488235f918db6bf8e55

              SHA512

              ff5c6b875534e7a53f58deea7d41a1e03b587a04d48a781057fa992763c1ab42f3e540fdfb9af0315fa5a3939dfab53086aef7de2a11c1ba4caf2f9a165d3849

            • \Users\Admin\AppData\Local\Temp\075429.tmp

              Filesize

              481.7MB

              MD5

              a450f2a4073e704e95bd1f21bad9f9cd

              SHA1

              62a0e112e8daea434bf1ad7222028e391a3d7909

              SHA256

              0844eef4a53e5f0f91a19aba6a6d106d4a4bed48f54558aa946c22638d318869

              SHA512

              ab0e87dd4bf18b43e694717f88f70c278ae2aaf01943aac9d997d6737ff01854f4d4d0823ed32ce2612c987ce5fb83396b629371a373f0cb987f58bf013b475c

            • \Users\Admin\AppData\Local\Temp\075429.tmp

              Filesize

              446.8MB

              MD5

              d0989e0e5ea83286f75cac3ebd94a1e2

              SHA1

              da8faa54bbf18318375370c5d32fd5245d8ed47a

              SHA256

              9c633f01fcd1d722a1a71e1a44a7d4074135c02e55ac8be4cafafaaf473e18e6

              SHA512

              3666799faa71eb62d23ea25d3a73749e2780478e5bd90b2767740a1f3a0cb5d7cf22d3273fbb37ceecb197e0397718ebdfe14dea591f7875748eab3a090aa5f0

            • memory/1560-1264-0x0000000000130000-0x0000000000131000-memory.dmp

              Filesize

              4KB

            • memory/2024-86-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-93-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-59-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-62-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-65-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-66-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-67-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-68-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-70-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-71-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-73-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-76-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-77-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-78-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-79-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-81-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-82-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-83-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-87-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-88-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-58-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-90-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-91-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-60-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-92-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-96-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-98-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-97-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-95-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-94-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-89-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-85-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-84-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-80-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-75-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-74-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-72-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-69-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-64-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-63-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-61-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-99-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-57-0x00000000002E0000-0x00000000003E0000-memory.dmp

              Filesize

              1024KB

            • memory/2024-1077-0x0000000006060000-0x0000000006061000-memory.dmp

              Filesize

              4KB

            • memory/2024-1269-0x0000000006060000-0x0000000006061000-memory.dmp

              Filesize

              4KB

            • memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB