Analysis
-
max time kernel
24s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20230220-de -
resource tags
arch:x64arch:x86image:win7-20230220-delocale:de-deos:windows7-x64systemwindows -
submitted
09-03-2023 11:25
Behavioral task
behavioral1
Sample
Formular 2023.09.03_0902.doc
Resource
win7-20230220-de
Behavioral task
behavioral2
Sample
Formular 2023.09.03_0902.doc
Resource
win10v2004-20230220-de
General
-
Target
Formular 2023.09.03_0902.doc
-
Size
501.4MB
-
MD5
eb8c4d15df3d23a23fc07217bbc7d421
-
SHA1
974a63a76637cf24e87d0baf264c68716edc9fe6
-
SHA256
e1bfad036ada626371f77502e13fa72c60610975c598b94e3956398ba243fd61
-
SHA512
420a6dd165546fc403e838b3b3d59aa8c8a333b1205d6d335e0ec48bfef592220c06a38590865d190df6ef44956309b07f94893f885b17f55ffb45c5dacf1c18
-
SSDEEP
6144:E9fcsHgsTGbWqjWQ6e7t/5MIUAWuVfzmSsWnpoWgXEyV/FF:2fPPGBWQ6CBMIUreiSXgXtF
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1012 912 regsvr32.exe WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 912 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 912 WINWORD.EXE 912 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 912 WINWORD.EXE 912 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Formular 2023.09.03_0902.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:912 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\122625.tmp"2⤵
- Process spawned unexpected child process
PID:1012 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\122625.tmp"3⤵PID:892
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\FDQLXWNfRPIesXxE\bhQrsumlSni.dll"4⤵PID:1192
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528.5MB
MD5d86ef1b48296cdcd77a87b86aaa8d69e
SHA15898d408f0ff95094a81bbea7cae41a247285ffa
SHA25661d1979dd3218b41992f2c017b7a748772a4e731c78e53de4ae4cf474fa6c897
SHA512c58414dd68195d2ce085e14f52f6be161c21df3ad6c70d856dd7729af5e61a03f1e18d70b4842dd1909440cae17285fa9c0844a6ce9a4b9f38e32817666540e7
-
Filesize
813KB
MD59d87f89d198d252433d3aa57d30a7f2a
SHA1b03fb7fe7765e5457ff78624a8073be6e200b850
SHA256d8a70af3e78ecc413497c9f6c6a8f0ca4a3a85756bf3b11b8ac158173ce110bf
SHA5120d41db6a87f29c9afeac60dbf55d517a6287bd2504b6b04de6bc91868a366d53c3514f6063d6e435162ca2928995a00f9230d19a90801dc88ab9f6e53bce9446
-
Filesize
528.5MB
MD5d86ef1b48296cdcd77a87b86aaa8d69e
SHA15898d408f0ff95094a81bbea7cae41a247285ffa
SHA25661d1979dd3218b41992f2c017b7a748772a4e731c78e53de4ae4cf474fa6c897
SHA512c58414dd68195d2ce085e14f52f6be161c21df3ad6c70d856dd7729af5e61a03f1e18d70b4842dd1909440cae17285fa9c0844a6ce9a4b9f38e32817666540e7
-
Filesize
334.7MB
MD505aef316e91d4e8bcc919a783178c723
SHA1e62a3d2d17f9125665d7370b6b35c88bfa2e5709
SHA256d80a85a4b02313bcb24a349a6f457ad03652f7be70a8b409f40663ba3725c3ec
SHA5124b1e491056527e8e3ca949143e654c70a96598ec748dc7efc3a73711edcbd60020fb00e5b8aa7bfbfc16267aeb34f2ef81d569faaad8667afdbc663d4e362b08