Overview
overview
10Static
static
8cd85f250-b...06.eml
windows7-x64
6cd85f250-b...06.eml
windows10-2004-x64
3K-1 03.07.2023.zip
windows7-x64
1K-1 03.07.2023.zip
windows10-2004-x64
1K-1 03.07.2023.doc
windows7-x64
10K-1 03.07.2023.doc
windows10-2004-x64
10email-html-1.html
windows7-x64
1email-html-1.html
windows10-2004-x64
1Analysis
-
max time kernel
22s -
max time network
87s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 09:39
Behavioral task
behavioral1
Sample
cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cd85f250-b0e5-bfcd-24ff-fde4febbf706.eml
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
K-1 03.07.2023.zip
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
K-1 03.07.2023.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
K-1 03.07.2023.doc
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
K-1 03.07.2023.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
email-html-1.html
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
email-html-1.html
Resource
win10v2004-20230220-en
General
-
Target
K-1 03.07.2023.doc
-
Size
527.2MB
-
MD5
fd37aece5d1c1538fdaab4b4fa1fa16a
-
SHA1
101fbc6beec580efc3582c7f619c711e9fb6d385
-
SHA256
d9988c6dcd1c169af8db5bc3c363f18f66501a63dd9fc1b671ad32f5de359472
-
SHA512
99cc15b540873054513d9f3fb13b250b253ab77ca83c45b350af17d04572b76db67c5f176627aaa8741113bc26d6890a15bde794557065dc9c341a65a4c13fb0
-
SSDEEP
3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 836 1692 regsvr32.exe 26 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1692 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1692 WINWORD.EXE 1692 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\K-1 03.07.2023.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094022.tmp"2⤵
- Process spawned unexpected child process
PID:836 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\094022.tmp"3⤵PID:1220
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WRzVwkmp\bLyMZs.dll"4⤵PID:840
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1540
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
482.4MB
MD5b92a5ad2eda2b86cc23f5ba3073d12b9
SHA102bad075709052d89695ad63cd1de9b387fb5485
SHA2561caf1e6087e1b90fb3b9937ae7d6c667c6c20cf2663dbd226d1184a41d4edc8a
SHA512eca9a6249f21f8296ef38c47baf4d78d06b484fabceb6c7a3f6b9f30ae6591b10b7fac1714cf5b302b299500ecaa8b072eceafb1342aac42e334df5aa8eecfc3
-
Filesize
878KB
MD5e4ca5ade365a549639456e7002246f22
SHA1f07d577919e7a34eda0e55d2b249248384da4b0c
SHA256dc7832d51eed30c96cb7ea377dc59753c1fe13fd7745a3530c95422ca1e4d760
SHA512caa1d75ad6b8acd990e6ec0fa4c7a39b7a55d7c75394ef258ef1ea9a18e8c6855cff261946d5d0985d981541a343cd072b5d7a5f72388ccc5b683e9ef2fc7e26
-
Filesize
20KB
MD5ec0092800a0dfb05f51ce86a13716c62
SHA14d0b346c8d6a0fa6b69b732eef1106adcd68296b
SHA2560353bae2fb100caf995c8d530a72d4f49dc86a75ef0867e5d83316d08450385d
SHA51233e3572a33c6c63ef732be662ab865cc9ef99f694a8f0cdc08db6b7606a8526004e6f0a553109015c9c28d14045e8dff9e7ecd1fc92af6cbeea9c4ab3f084a87
-
Filesize
492.8MB
MD51557a4c53d8aff5a54446d1583a1adea
SHA1b9d1b3db08a931da3b014e34509e21a0f9937f18
SHA2567a1230940384c0bd4ed88271b69199c8c2f955a6e16100b8bb07ca7b6af88894
SHA51211f07702e74785a5dc8e0e1d9635e7f7bef48c13a0f1909d1a44bf45aedc840f4f9553d8fd53d039a775191d24764e9fcde9df67ec27398fccca7ea9fa49cac0
-
Filesize
447.5MB
MD5b2071905e0368d2032f42c1f623717df
SHA19361ba1d15f21ffba765c8f408ac544d63a65d4d
SHA25617592b849c9aad6f0a67b07ad591db08c357d392f43fc149b01cc5ec0649059a
SHA512cec274f566720823d314330080d8cb4bf5921634c121acf2ec36ce93f6d19fb90e12ea65757d9a7960e2b5812c45af38ce84202fea7c1d9fd45a31633a0615ca