Analysis
-
max time kernel
23s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 09:45
Behavioral task
behavioral1
Sample
1.doc
Resource
win7-20230220-en
General
-
Target
1.doc
-
Size
516.3MB
-
MD5
c2ba98ea49f3d5f5b04d7980ed36b75d
-
SHA1
0b66f823f6edf03c3992d9265a43aa5ffa24938a
-
SHA256
1e041bead6abf833504e173d6b1026ee766bfef84635a7d222e520a673d8896c
-
SHA512
108011d99c013c97e462cb1792a8e5de1a1ebdccd5073acc2c5ac08dc8fcca0acd20eb0bfd37850721a46dffdf54d88bfac59aca6399dda8e4ee53434796e365
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1736 1980 regsvr32.exe 18 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1980 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1980 WINWORD.EXE 1980 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094651.tmp"2⤵
- Process spawned unexpected child process
PID:1736 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\094651.tmp"3⤵PID:468
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\YhLsgkKrtjtM\EQOiPJHyYqkwRYo.dll"4⤵PID:1908
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410.9MB
MD57475c86d57ee370f2cf2d9c30908ca7c
SHA116fcb70a6d7289bb778d416e1f0d645fd1f6dac0
SHA2566356816e8a8a9ffd4d32f96bec65000e4ac7d7d7088e0f08ed98b749289de5dd
SHA5125d6a50b9eb3e6bc6b0cd0eb7cf12f1a5e4547b6fdbc5822580cfb9d1273725cc4d985494e97d1789b7cf8892f3f2031adaf7df6a3a72be8011f47469f9dc3642
-
Filesize
852KB
MD5b68294947488080ff0a99def9ed22c4b
SHA18bf91771e28c84adb2ad80e92e9d4e13e6c52b6c
SHA256ae869a73754e3cd48c17ca12821abf2d188aeea7603b412f4fc7d5d0b6b2d9a3
SHA51268943596f0cac042deddd5893aba1d625cb2420238f858b5a0a372c932228e4fc7f4a0ca9cb1fe84852949137c40192058659ed058f2c0b5d7b1730448d2ad41
-
Filesize
20KB
MD5625678b0a890a9773350e53fbb5b2c00
SHA1b1a6da6c2cc1f7f93192a66320097d4a187477f9
SHA25661a19c93664059a9ed0dc660a5dbde02a95b3a601e3e152bb278a5870603430e
SHA512208bd5b04087f98ada5b1f4a2f8b6ff7560199df0f4658c7a3e55a096f22a74b1f9a22f5335194c5212a13c77100e4c5f6550f71f2f846121ec962812d991b4b
-
Filesize
481.0MB
MD5981e9024ce2d688158194e94a6124d39
SHA17b8f552e0d1234faa44c542fce6dd36f8234db35
SHA256f7fd2b56bd4d42c441641e4408beb6803005cf7e5faa84269af8c80ea0cfb0b5
SHA512ab1ced44a1f5a22f05bb24259b7cd5ae7853bdb21339972ecf2cb2217a4dfe6d5f932a3a04bebed0473038e14b932a6f85639e19f2f86f2cc3321e2cbbbfc1ff
-
Filesize
495.9MB
MD5688a29f6cd1173e6678f32c3da53f1d1
SHA155951768617fff688d8b4266283befb826602831
SHA2563a547e0c80968626f2d6603bcbf7c16d5d99c78c74a8adf1bf99c053666b3492
SHA51266f5e87899705151da7aff57cef3fe58f9b6f2919659f01a5f04e086a1447a41df34891938148c84efe783ffb7b5aeb49131365d2df06a662a191d2ee432dd1f