Analysis
-
max time kernel
24s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 08:03
Behavioral task
behavioral1
Sample
Dat_8NWR9UK2ORB.doc
Resource
win7-20230220-en
General
-
Target
Dat_8NWR9UK2ORB.doc
-
Size
522.3MB
-
MD5
2148a6a2bef5a35ce5665cbc12d5e474
-
SHA1
2e87b33309c888ab7d655e92a45a31f15753fdee
-
SHA256
f616da0ebb4f984aecd40da922c0cdf70987643a86afadc969aa76598120cd5d
-
SHA512
fb232985018569cdbba001273278a6128af1395e1dc4631b023a0c49fefffd43a93dd6b0332c2cc634aa87d850ea2866614cacb6b064e57f4d48c7b41b60ea4c
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1372 1980 regsvr32.exe 17 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1980 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1980 WINWORD.EXE 1980 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Dat_8NWR9UK2ORB.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\080527.tmp"2⤵
- Process spawned unexpected child process
PID:1372 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\080527.tmp"3⤵PID:1672
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\JuqBhCjlXmKzE\RDMdV.dll"4⤵PID:1812
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1616
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412.4MB
MD5935efad544e947a1cb3528c032bfd5bf
SHA1ab93701646972666deb6c04ff13465e43ddc8738
SHA256c3a062fb0b8306188cbc31c11b3230cb528105f7362a1604464d9e794ada6e85
SHA512cb7d73bb56e746a837dce2341f3aad66fdce9ae0062d35ff9af3f276188956364de4037f39488885df2643ffabb29c4eaed819b1deb01385e018591ba41ffcf6
-
Filesize
867KB
MD5909549241403bb8529a01fb67601e799
SHA145bd807feed98f9b73c1470930b26db429ecdc66
SHA256f51c81ec5c615651109c343acc8f7a712a78801b83fabd0b0925a2abde9629ff
SHA512186d29c7fa1dc39a8b6a61e40b45af740b1dcbde0609ab397ff6d94745342f288ed71e4db1b051e060b30371a97deb3e37882782b2942103819360d6c7a43a75
-
Filesize
420.8MB
MD5e0d2a4b737ebef8e00d2ebe240d752d4
SHA125b2372044524ade538b598edaf87f617f3758b9
SHA256724822ad4c5feae6bc02e5b8684a759e704f707d0663d8ba61aa2d3e5ca26312
SHA512c233c413842c4f6777ff8ae81d9fccc2df4be6c787ecc83ce3574c4cfd83986ffb76d673e3171b18e6c24eb1f575d114c32bb89791894c5d7fc1e497c2b4483d
-
Filesize
448.6MB
MD5276747ace8f3409cae9736782835d7d6
SHA19e054029bcd0a4007966671e6826ec5f2b1070e0
SHA2563a9294cb2efb9b424d00dd3170aee44421eead93133a7bcafe5d20b9bd97b4d1
SHA512c94adedf107ec1925f6bf210049eba646be5048b9e5140de8e9c8ecc44f3012702e1d5e73f0cbdcf2d45f4b08328c352c5eaf00d8b33bad3c8a2658fefc6c2a7