771bd0f1fb88e25928d4f5ba367b024ff31829caa6d03fd0a1009b97c6f7f416

Analysis

max time kernel
28s
max time network
98s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fattura marzo.doc
Size

544.4MB
MD5

018a28824bf31c283dae1bb5049382a4
SHA1

f7942a61798fe60daf7e2ae38e837dbbd4c70111
SHA256

f16b62af7304055caaa907e376abb895a6655767b115b41e7e3fa95d4173e26c
SHA512

b766054725c4f8d131847663dda01120e98019f7173c8daf1fecb3e8bc28991644a78d7ca6266cb90f2d9c25ede356e2bcf75f396cced56dc8ca4dcdc4ee67c6
SSDEEP

6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	760	1980	regsvr32.exe	27

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1980	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fattura marzo.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\101926.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:760
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\101926.tmp"
    3⤵
    PID:1892
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VEFmHvUIE\CadrLeYbJbVXxK.dll"
      4⤵
      PID:1508
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\101926.tmp

Filesize
545.7MB

MD5
12f3e0a55b04c19b5e206adb6904facc

SHA1
40f9ec03ef0491c0e26d1c40bc439baed7eb07c7

SHA256
7a7d6cff919563c2461de6184b5ff85ae72cb6b93f32e8c2c4b94e7676d72e85

SHA512
3ee82ddd46607e1aa376f80641618ca138527675e278fe7e4099434d49c65557df61240409223d880d126ed0caf1870df8c902997cfda566954b9ede5d3f2efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\101930.zip

Filesize
869KB

MD5
a1b5ad0b184ed8c4de38a2017418bdde

SHA1
58910c4b54dc1a0fcbd2e319dd29f0d73499d331

SHA256
a2268aea65d040926d994b70260b54e7ddca1d7243fdc69574d4eeccf608b9eb

SHA512
ca672e14e83fc651d29aa9e183f8921f6212d033949ab3e09e5de35a07b6b6ae77f8ab667328c58c60f0ff7ed828256f3259ff84fc1fee28cd25a429f1f3bd29

Download Submit
\Users\Admin\AppData\Local\Temp\101926.tmp

Filesize
500.9MB

MD5
133d152f645977831c4087091b8b31a6

SHA1
a91796928214070bc9478b5a8948bb45b7917f09

SHA256
08f6086d287281564ddbd2e86643c4f482a818221340efb7c172936f72fa7475

SHA512
35148b1171a881cc9a8b5164d0a7ae6b3ec161656106a99e6ddc60dc5ec6138aaf5ef6dd6f35d2cded14d2efc0d024ac157323055e4c937f8c37189fe10db4d2

Download Submit
\Users\Admin\AppData\Local\Temp\101926.tmp

Filesize
545.7MB

MD5
12f3e0a55b04c19b5e206adb6904facc

SHA1
40f9ec03ef0491c0e26d1c40bc439baed7eb07c7

SHA256
7a7d6cff919563c2461de6184b5ff85ae72cb6b93f32e8c2c4b94e7676d72e85

SHA512
3ee82ddd46607e1aa376f80641618ca138527675e278fe7e4099434d49c65557df61240409223d880d126ed0caf1870df8c902997cfda566954b9ede5d3f2efb

Download Submit
memory/1508-1775-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1892-1768-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1980-88-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-94-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-57-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-61-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-60-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-62-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-63-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-64-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-65-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-67-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-66-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-68-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-69-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-70-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-72-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-71-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-73-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-74-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-76-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-77-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-78-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-79-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-81-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-82-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-83-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-84-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-85-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-87-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-59-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-89-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-58-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-90-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-104-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-91-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-96-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-97-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-98-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-99-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-100-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-103-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-93-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-102-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-105-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-106-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-107-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-108-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-109-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-110-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-111-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-113-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-114-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-115-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-112-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-116-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-101-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-95-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-92-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-86-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-80-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-75-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-117-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1980-1509-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1980-1774-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download