Overview

overview

10

Static

static

8

fattura marzo.doc

windows7-x64

10

fattura marzo.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fattura marzo.doc

  • Size

    541.3MB

  • MD5

    2e40c29700e6404798fc6f8ec55c36a8

  • SHA1

    54a9835fd10c76c54fbd3a9442ecde7d12acc920

  • SHA256

    dedc884d516f2a7a9e78aa37810ee335d24ba93f418b8096712ed8879570269f

  • SHA512

    e72d419312663e0c9f58d3f3aba6b49521837553f8b06a2fff4858bf56207d069ebc702553ff619b759cfed065242c4a19141740223cd87018303a6c0021af4d

  • SSDEEP

    6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fattura marzo.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\130646.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\130646.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1996
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MEsxyNAJvcGufK\ZTkJAzQpvLaAPlL.dll"
          4⤵
            PID:1308
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1608

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        61KB

        MD5

        e71c8443ae0bc2e282c73faead0a6dd3

        SHA1

        0c110c1b01e68edfacaeae64781a37b1995fa94b

        SHA256

        95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

        SHA512

        b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        36792529a690f05fa16bff936861be17

        SHA1

        8eb3bae553005deece019b40efc44ebbc32003a1

        SHA256

        e4583c9e77cbea836597c39295b58f60b434c42dd08f4c25c89b196f2d7d8204

        SHA512

        d64c6fd34ca07e6c899be29088289c60e7fc3a839deb09ce17665a4a566f56ee5c4dfcbb24d657d50164b1788f1c6799788ab4976c025425210edba37eb4177c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\130646.tmp
        Filesize

        478.4MB

        MD5

        7f57f6fc2d90c0a9458bc4e89e19f11f

        SHA1

        968ac1aaf1857634a46dbf0a82e8978651a1df04

        SHA256

        bc3fd3dd6b1c96409157244ca3dd8c25f5615a080eebfd0384678e6bc0f3c37e

        SHA512

        07861992c3c18d23bf123e7e9e10f72e27e1ab35c2218f8264273173844345d34e809eb28f2817231aa965d2b565a999f3a7b38bd03b595cbb8c5171b83decde

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\130713.zip
        Filesize

        798KB

        MD5

        ea157e259e7b9c791c817cb302b4d4e3

        SHA1

        4a61863b57223ecc6ee4f34f2eb333280ba9f8d9

        SHA256

        7a3a68f42d66ecd60083c3f6cef33f97f4f76c98d991f642e6387d75c7a34818

        SHA512

        8fe2bd5c8cc90136bf5a7dc3fc229a5ce4505e77c0dda793324730d84d43fa893c0145db74da5ea191f5135850b0de4956f307bbce9efff1e684892a99a0481e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabC621.tmp
        Filesize

        61KB

        MD5

        fc4666cbca561e864e7fdf883a9e6661

        SHA1

        2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

        SHA256

        10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

        SHA512

        c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarC78E.tmp
        Filesize

        161KB

        MD5

        be2bec6e8c5653136d3e72fe53c98aa3

        SHA1

        a8182d6db17c14671c3d5766c72e58d87c0810de

        SHA256

        1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

        SHA512

        0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        9c99396039af10672f5b3df03a425e64

        SHA1

        6abc28bc334fdaa496864a0750cfe63683f877db

        SHA256

        5ffabe337db83e1967c9e02d3f924396df906bceda41f5bab79de6d180ffa7b4

        SHA512

        9c858766500506c42e0d9974350cbbdf575c3f5db24f8c72489e56319fdcc08a658ba149d95cbfbe1f457c8bbeeca9b6db8cdee2019de98097efae17083cb36c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • \Users\Admin\AppData\Local\Temp\130646.tmp
        Filesize

        462.6MB

        MD5

        3e8cdb02d4b2379f4a47717116524302

        SHA1

        36a234386f7cb56fa2d0ffd4b7f440f8427c0c22

        SHA256

        c796aa688e918f5aff94e385ee2422a052505fdbe0cf4d21469872163fc8e7c4

        SHA512

        af67ec3f90cb1bb631b3bfb63c5cb38817f4022857d2688ccbcb991b6a1f453efebd497cc1ebf53e6758e5b9e689be7c737c3f8595ed570e3e41c2f386162649

        Download Submit

      • \Users\Admin\AppData\Local\Temp\130646.tmp
        Filesize

        374.1MB

        MD5

        e9fa4a92291ea66148a50d54bce4e642

        SHA1

        939bcb6c2da0673f2d7c9b0d244a0b3430b86b68

        SHA256

        5ed81c7d6a8d89e1681de2bc1b1e7e4343e5191bc3b583a411809e1d48176814

        SHA512

        cf27e94ff7690bfca588a2bc6c749545c55ee77752498d0260a797006849b7fc8361fe4fb4889af6612d6fb315eed4358f4a4358988226857fc254c725516452

        Download Submit

      • memory/1308-1964-0x0000000000130000-0x0000000000131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1324-89-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-95-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-66-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-67-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-65-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-64-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-68-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-69-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-70-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-71-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-73-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-72-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-74-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-75-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-77-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-76-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-78-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-79-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-80-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-81-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-83-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-82-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-85-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-84-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-86-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-87-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-88-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-57-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-90-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-91-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-92-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-93-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-94-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-63-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-96-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-97-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-99-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-98-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-101-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-100-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-103-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-102-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-106-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-107-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-105-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-104-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-111-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-112-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-110-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-109-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-108-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-116-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-117-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-115-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-114-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-113-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-118-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-119-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-1671-0x0000000006080000-0x0000000006081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1324-58-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-59-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-60-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-1948-0x0000000006080000-0x0000000006081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1324-62-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1324-61-0x00000000007A0000-0x00000000008A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1996-1947-0x00000000001A0000-0x00000000001A1000-memory.dmp

        Filesize

        4KB

        Download