Analysis

  • max time kernel
    127s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2023, 09:16

General

  • Target

    20230308_67941_0027.doc

  • Size

    500.3MB

  • MD5

    8309b9d9bc264d02be48159c94cfda59

  • SHA1

    425d0846499519fbf2c0b8def88d5b959337f675

  • SHA256

    a6d45450a1734c4e3b45469c4921862d0ac16b8e19cce98db0325ed4dcbf6bd3

  • SHA512

    9c93715effaecf18d8b8c1f8d4915006fd7d73548712abade79b02c3d0a9897d4fe74bd6a1d4305366ce60fd210bf641e179e6c09711638e8d4535e82a83c328

  • SSDEEP

    6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20230308_67941_0027.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\102035.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\102035.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NejuZpg\ZCXyyN.dll"
          4⤵
            PID:1516
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:432

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\102035.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • C:\Users\Admin\AppData\Local\Temp\102038.zip

              Filesize

              852KB

              MD5

              b68294947488080ff0a99def9ed22c4b

              SHA1

              8bf91771e28c84adb2ad80e92e9d4e13e6c52b6c

              SHA256

              ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3

              SHA512

              68943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              95eda1d379963f615fd2f6523c20f5d4

              SHA1

              30e94629100f97b87a99884393111d4028700aba

              SHA256

              7dd442142933bbe7cf7c7d304e8b0e9c65bc59f5d4873c22d72ce7e6af8c15cf

              SHA512

              fc220ad86b49802e8c182c05ba83efcfd62b57ec46e2ecf6be6171bef2401c6ddccb02e67ed368c2465c9dfd2f5935fd167112d130665b89a5769599781c1cbc

            • \Users\Admin\AppData\Local\Temp\102035.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • \Users\Admin\AppData\Local\Temp\102035.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • memory/1248-1264-0x00000000003B0000-0x00000000003B1000-memory.dmp

              Filesize

              4KB

            • memory/1516-1271-0x0000000000170000-0x0000000000171000-memory.dmp

              Filesize

              4KB

            • memory/2008-95-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-98-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-87-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-89-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-88-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-90-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-91-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-93-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-94-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/2008-96-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-92-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-97-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-86-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-121-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-163-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-178-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-205-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-85-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-1077-0x0000000006310000-0x0000000006311000-memory.dmp

              Filesize

              4KB

            • memory/2008-83-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-84-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-82-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-81-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-1270-0x0000000006310000-0x0000000006311000-memory.dmp

              Filesize

              4KB

            • memory/2008-80-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB

            • memory/2008-79-0x0000000000470000-0x0000000000570000-memory.dmp

              Filesize

              1024KB