Overview

overview

10

Static

static

8

2023-03-09_1641.doc

windows7-x64

10

2023-03-09_1641.doc

windows10-2004-x64

10

Resubmissions

09/03/2023, 13:27

230309-qqgx3ace75 10

09/03/2023, 08:02

230309-jxggjsbc56 8

09/03/2023, 07:55

230309-jskcmsab7t 10

Analysis

  • max time kernel
    131s
  • max time network
    103s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2023, 07:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2023-03-09_1641.doc

  • Size

    528.4MB

  • MD5

    2497f00196794d6011c1f95d659fb948

  • SHA1

    c9d0caba43352645f7aee4242350c938a0b4bf4e

  • SHA256

    66b9053b5c63bac17c1ab5fd3f0e385a6c1fd579b0d05ba86aacd3bea54c558a

  • SHA512

    faf794202164330cbaffb01447df2567aa090728f73db5fb2bbba050094b4332c3172fe35438fa76d9adea17b793bef1686baf06f76a9002b95c41b1c65c9e7e

  • SSDEEP

    6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-09_1641.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\085656.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\085656.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DELutKfwoRYwPmv\jhPdT.dll"
          4⤵
            PID:780
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1936

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\085656.tmp
        Filesize

        542.7MB

        MD5

        0feba8ad11e903584421f5717a7fba06

        SHA1

        07b1ed71825d6df711cbbd41be6a5a874c788108

        SHA256

        5c5101d99b8dbcfbb4b2ede2f1de29365cf756079a426334ef143a0aeb32553c

        SHA512

        b99ded0b5a886b67a011d80cdca4987e05c68761e6b016efc297c21f7894c92209d37a86855cab3a0dffd38ac5d9dcf311de75a829fad3b8a5293b1dbb664bc5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\085701.zip
        Filesize

        866KB

        MD5

        911bea9b5f1d414a7b5829cc4f25d3f8

        SHA1

        62e42ddd37d1f7d22c9787dd337b5b2109e99eb9

        SHA256

        ea8351aed2d8080994b8b0c855ca3e4f3013923d0698290df6d05687f9fa6b14

        SHA512

        6f58135c8724d403f5f874796d3ba0f0beefa839ec56efc1b852bed96409c0f5928dd5deb86d05528726e89829a95aa9df18ce3445b796c9eedbc23a2c28f9da

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        6fcdc7deda5aeb586231e152b14c297c

        SHA1

        45edf34860dc8f89ddcc87f2d0c87f2d110d0901

        SHA256

        f401a5d49ca574fb93b58efb7b4b3e4dec3bc29221182574d5f77028f949c1c4

        SHA512

        b9ec1a7201c658790b9b780f93925fdb92f2da723296e9a342eb32cfe24fa3dfdad9d9a1c0d205aae12be903efb76f1a154b05556525ac3b5d695d03a8b5f03e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\085656.tmp
        Filesize

        542.7MB

        MD5

        0feba8ad11e903584421f5717a7fba06

        SHA1

        07b1ed71825d6df711cbbd41be6a5a874c788108

        SHA256

        5c5101d99b8dbcfbb4b2ede2f1de29365cf756079a426334ef143a0aeb32553c

        SHA512

        b99ded0b5a886b67a011d80cdca4987e05c68761e6b016efc297c21f7894c92209d37a86855cab3a0dffd38ac5d9dcf311de75a829fad3b8a5293b1dbb664bc5

        Download Submit

      • \Users\Admin\AppData\Local\Temp\085656.tmp
        Filesize

        542.7MB

        MD5

        0feba8ad11e903584421f5717a7fba06

        SHA1

        07b1ed71825d6df711cbbd41be6a5a874c788108

        SHA256

        5c5101d99b8dbcfbb4b2ede2f1de29365cf756079a426334ef143a0aeb32553c

        SHA512

        b99ded0b5a886b67a011d80cdca4987e05c68761e6b016efc297c21f7894c92209d37a86855cab3a0dffd38ac5d9dcf311de75a829fad3b8a5293b1dbb664bc5

        Download Submit

      • memory/696-1768-0x0000000000120000-0x0000000000121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/780-1770-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1148-89-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-96-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-58-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-61-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-62-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-63-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-64-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-65-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-66-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-68-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-69-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-70-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-73-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-72-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-74-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-75-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-76-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-77-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-79-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-80-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-81-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-82-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-84-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-83-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-86-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-85-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-87-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-59-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-90-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-91-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-60-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-92-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-104-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-93-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-98-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-97-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-102-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-101-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-103-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-100-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-94-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-106-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-107-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-108-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-109-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-110-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-112-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-113-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-114-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-115-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-111-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-105-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-99-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-95-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-88-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-78-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-71-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-67-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-116-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-117-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-1509-0x0000000006290000-0x0000000006291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1148-1769-0x0000000006290000-0x0000000006291000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1148-57-0x0000000000760000-0x0000000000860000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1148-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download