Analysis
-
max time kernel
22s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 08:42
Behavioral task
behavioral1
Sample
Copia Fattura.doc
Resource
win7-20230220-en
General
-
Target
Copia Fattura.doc
-
Size
534.3MB
-
MD5
e7483391a9b507ecbdfa411553650531
-
SHA1
fdb26fdd782b2ac4dd26bb4e038730c2defb3918
-
SHA256
a99eb971a4d11235924443dfd0308e731205b6320e6939526d94f91a43c64248
-
SHA512
e40f21a2919036fca9f54bc7f2926777cb7890195ac22f789bddab0bf9e08403f69fcb493c3214dd9ffdaa65c0812885fd75d119dcd32a59133a3dccc85e1e1d
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2012 944 regsvr32.exe 26 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 944 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 944 WINWORD.EXE 944 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 944 WINWORD.EXE 944 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:944 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\085955.tmp"2⤵
- Process spawned unexpected child process
PID:2012 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\085955.tmp"3⤵PID:1264
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\NNyvhcQBMHfWzL\ijviVujK.dll"4⤵PID:840
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1016
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
430.2MB
MD5833598ad56f8d69deadab66b03a56877
SHA1fa3ef77035fd251ee7c57acce60d97e35cb3dd87
SHA256cbc47b757830f14fe3a4dbb3ad9d13746119b9357ef09e990b12a8af244f23c0
SHA512a4a145c77271e562ad84f2592817f835b277e33fad6c48a5a9771cf80468660a3ee93a3308115b655123e17a51a2c046d5ffd7782d2c266f0f06c0ab9b214acb
-
Filesize
879KB
MD57d74461b5fd70928dc244547869f8244
SHA10a69beecdd517a2b9e618147856367fceae23bd4
SHA256335051721cda978a48a4e088a1d1cdf3c982a46a64d438fc153b187eef2eb86b
SHA5124f7c40b88e1abfc258d3a8ae620b1c70c47996f57041d39435f32dcbcc7d318dbc48ca41262a2604dd468db15a30532edab8358b5dc8ee8b1f5f16f02a7d20eb
-
Filesize
20KB
MD543fd1703ab999f66a757400882bd73bc
SHA14fc91d33c8909ed01a113056eb0b68f1b31055bf
SHA2561bb10b80da3ce7d67c55979055d35666d59f25b1b6448b00ef4acbad1a3bd99d
SHA512e7e88f7169e74dd87ef67ddbed36e40387672fc2027bff9c64e6daa41a06180ca54e7c365d08b30e9b5956e9cae08081eaa6f2e6e0ea11a453c8cd0a3ca92972
-
Filesize
438.6MB
MD51a70cb58ead966d091d91045c115d055
SHA1548692dee82d809e41aa95dee8e1bbd2a99cb049
SHA2561f1e98ce55ec46b3037ff9a9be561e55af6bdcb45454c8762bdd33a4da457bff
SHA5120f9150188d25e9c74bd752406acb004e12af6b3b2da88c79bf9461c2d963d156a5f124913ea0485be2dfa94f6b0ae4342434a4677d2859b249251b79488470d4
-
Filesize
396.3MB
MD5aa58f0094179f0518b44b4273f66d3d5
SHA12d46081eb25fba4458fd42f3370574377613421f
SHA256ce08b8527fd963d1eef0118d4f1f3ce3a2f2d6403da09e7f456e3dfe33c55c94
SHA512fa1ba76185506bfc93ba6f89ad566c7fa494448afb811c32e2ea14e428c65541643c8786c8cf0e2f6e65e148d3ae8ea1acda3f66825852359074b9d8556ee48f