Analysis

  • max time kernel
    114s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2023, 09:39

General

  • Target

    954895897851030__2023-08-03_0953.doc

  • Size

    502.3MB

  • MD5

    a59e9fe46fe7ccd8c74b1dc39553d1a5

  • SHA1

    6b2699157dd7bb19cdb7f0ffb959c20c90318e9c

  • SHA256

    4792472bd90dab5885a789793a3309109b7f8d305203faa011d92b0efdf1720b

  • SHA512

    cfc9951ccf2e7001184b71855c1074c5c8a74b8739494121f5df6f8151d90af6ff5f9ea6b524f71fc4d5b3a3ded608172372c49cb9f7771c6594cb19d179435d

  • SSDEEP

    6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\954895897851030__2023-08-03_0953.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\104511.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\104511.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WpTLJpen\FZAzAwIB.dll"
          4⤵
            PID:1804
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1400

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\104511.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • C:\Users\Admin\AppData\Local\Temp\104514.zip

              Filesize

              852KB

              MD5

              b68294947488080ff0a99def9ed22c4b

              SHA1

              8bf91771e28c84adb2ad80e92e9d4e13e6c52b6c

              SHA256

              ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3

              SHA512

              68943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              267985bd1f0e6c64944f228c9a3929eb

              SHA1

              2a88df84fa15c2f1d7f96888225507e8a2db346e

              SHA256

              f84a1224a9b2b929f2073d106af0da1a6fdcbce053f8b96dbaeec0481b5ca8dd

              SHA512

              a625e15e2c89f4542ffbd200e2883fe8aed8b431194d09bd3b5f30e6b6528b57af611a961de50cd3cd3a45de4cc2873a46d0fb23d7c197eb1c432a2b598df2a0

            • \Users\Admin\AppData\Local\Temp\104511.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • \Users\Admin\AppData\Local\Temp\104511.tmp

              Filesize

              516.7MB

              MD5

              17aa8e88ec9a9880480f13ec5355ac22

              SHA1

              7c342e547e70d4d6daae44d4bf0e66d67b06de12

              SHA256

              181491fae77d98ce9bb1deddc6c1b53da04f9994c55faf96c5c4bee3c2105097

              SHA512

              1323637048423882f84baf4fec83fb269f2c0aec9ef40445e487f22a898bdc4992826b4b5891d2fe2cacd58723cadffc1294cf205c9291b405ef96b4fe59ae43

            • memory/1800-1264-0x0000000000260000-0x0000000000261000-memory.dmp

              Filesize

              4KB

            • memory/1804-1267-0x0000000000300000-0x0000000000301000-memory.dmp

              Filesize

              4KB

            • memory/2020-78-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-84-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-60-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-62-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-63-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-64-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-66-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-65-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-67-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-68-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-69-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-70-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-71-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-72-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-73-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-74-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-75-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-76-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-58-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-79-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-77-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-80-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-59-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-83-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-85-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-86-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-87-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-89-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-91-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-90-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-92-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-93-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-94-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-95-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-96-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-97-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-98-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-88-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-82-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-81-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-99-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-114-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-1077-0x00000000062B0000-0x00000000062B1000-memory.dmp

              Filesize

              4KB

            • memory/2020-1265-0x00000000062B0000-0x00000000062B1000-memory.dmp

              Filesize

              4KB

            • memory/2020-57-0x00000000004B0000-0x00000000005B0000-memory.dmp

              Filesize

              1024KB

            • memory/2020-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB