5d5902223f5e340838a0fa579cd751d1e55c0be5943694b0061aed4d147f09ff

Analysis

max time kernel
24s
max time network
94s
platform
windows7_x64
resource
win7-20230220-de
resource tags

arch:x64arch:x86image:win7-20230220-delocale:de-deos:windows7-x64systemwindows
submitted
09-03-2023 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Formular 2023.09.03_0902.doc
Size

501.4MB
MD5

eb8c4d15df3d23a23fc07217bbc7d421
SHA1

974a63a76637cf24e87d0baf264c68716edc9fe6
SHA256

e1bfad036ada626371f77502e13fa72c60610975c598b94e3956398ba243fd61
SHA512

420a6dd165546fc403e838b3b3d59aa8c8a333b1205d6d335e0ec48bfef592220c06a38590865d190df6ef44956309b07f94893f885b17f55ffb45c5dacf1c18
SSDEEP

6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1012	912	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
912 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
912 WINWORD.EXE

pid	process
912	WINWORD.EXE

pid	process
912	WINWORD.EXE
912	WINWORD.EXE

pid	process
912	WINWORD.EXE
912	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Formular 2023.09.03_0902.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\122625.tmp"
2⤵
- Process spawned unexpected child process
PID:1012

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\122625.tmp"
3⤵
PID:892

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FDQLXWNfRPIesXxE\bhQrsumlSni.dll"
4⤵
PID:1192

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\122625.tmp

Filesize
528.5MB

MD5
d86ef1b48296cdcd77a87b86aaa8d69e

SHA1
5898d408f0ff95094a81bbea7cae41a247285ffa

SHA256
61d1979dd3218b41992f2c017b7a748772a4e731c78e53de4ae4cf474fa6c897

SHA512
c58414dd68195d2ce085e14f52f6be161c21df3ad6c70d856dd7729af5e61a03f1e18d70b4842dd1909440cae17285fa9c0844a6ce9a4b9f38e32817666540e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\122629.zip

Filesize
813KB

MD5
9d87f89d198d252433d3aa57d30a7f2a

SHA1
b03fb7fe7765e5457ff78624a8073be6e200b850

SHA256
d8a70af3e78ecc413497c9f6c6a8f0ca4a3a85756bf3b11b8ac158173ce110bf

SHA512
0d41db6a87f29c9afeac60dbf55d517a6287bd2504b6b04de6bc91868a366d53c3514f6063d6e435162ca2928995a00f9230d19a90801dc88ab9f6e53bce9446

Download Submit
\Users\Admin\AppData\Local\Temp\122625.tmp

Filesize
528.5MB

MD5
d86ef1b48296cdcd77a87b86aaa8d69e

SHA1
5898d408f0ff95094a81bbea7cae41a247285ffa

SHA256
61d1979dd3218b41992f2c017b7a748772a4e731c78e53de4ae4cf474fa6c897

SHA512
c58414dd68195d2ce085e14f52f6be161c21df3ad6c70d856dd7729af5e61a03f1e18d70b4842dd1909440cae17285fa9c0844a6ce9a4b9f38e32817666540e7

Download Submit
\Users\Admin\AppData\Local\Temp\122625.tmp

Filesize
334.7MB

MD5
05aef316e91d4e8bcc919a783178c723

SHA1
e62a3d2d17f9125665d7370b6b35c88bfa2e5709

SHA256
d80a85a4b02313bcb24a349a6f457ad03652f7be70a8b409f40663ba3725c3ec

SHA512
4b1e491056527e8e3ca949143e654c70a96598ec748dc7efc3a73711edcbd60020fb00e5b8aa7bfbfc16267aeb34f2ef81d569faaad8667afdbc663d4e362b08

Download Submit
memory/892-1768-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/912-84-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-69-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-59-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-58-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-61-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-60-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-62-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-63-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-65-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-64-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-66-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-67-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-68-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-89-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-70-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-71-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-72-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-73-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-75-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-74-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-76-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-79-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-77-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-78-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-80-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-81-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-83-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-82-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-85-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/912-90-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-87-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-94-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-57-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-86-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-91-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-92-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-88-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-93-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-95-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-96-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-98-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-97-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-99-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-100-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-101-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-102-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-103-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-104-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-105-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-107-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-106-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-109-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-108-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-110-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-111-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-112-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-113-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-115-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-114-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-116-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-117-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-119-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/912-1509-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/912-1775-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1192-1770-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download