Overview

overview

10

Static

static

8

Fattura 9896.doc

windows7-x64

10

Fattura 9896.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fattura 9896.doc

  • Size

    527.3MB

  • MD5

    f4dc8e74895fb969955971eab1f1ed47

  • SHA1

    bbd65bd17726552de75a527a2737de552597c341

  • SHA256

    0087aea8af8d85451d27c345155c3458012dda25858b0a1c039dc2c57251feb0

  • SHA512

    34d5b04016f695670fed9c93fce44fc7da17b1e52567eaf72cd7a1b4e1a5b1523a4e0146915b3e1ab9db87d207ce95ef54a5acbca89fd949f03eab59b02ccda5

  • SSDEEP

    6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fattura 9896.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140010.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\140010.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NtoSVBaeTDYmO\FpmaoCgRxcKIrD.dll"
          4⤵
            PID:376
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1552

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\140010.tmp
        Filesize

        519.5MB

        MD5

        8369f8222def57832e649eb39fd2e1cb

        SHA1

        d42f215ae5af681e8e0125c7a8399759803f6f01

        SHA256

        290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

        SHA512

        2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\140016.zip
        Filesize

        804KB

        MD5

        7821adc2f937cd7f7f6fc3499ceda7c3

        SHA1

        5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

        SHA256

        95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

        SHA512

        f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        3406783a5bb7dc42ac056c3e70944e3e

        SHA1

        ee781e2b18d4e3c11e8a8f697ce185c3d29b6049

        SHA256

        1d4b504cccfb452912379c89c1248192834fd43f5e4cfede0be12f4995286572

        SHA512

        462df007ca00069518e537259e39d8f6773952ccb702f73bc8835e38e04072a66458cbdcab3e6cd4cd4bce039b377b65bea6ff32e2448fa0bdbe157890bf8504

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • \Users\Admin\AppData\Local\Temp\140010.tmp
        Filesize

        519.5MB

        MD5

        8369f8222def57832e649eb39fd2e1cb

        SHA1

        d42f215ae5af681e8e0125c7a8399759803f6f01

        SHA256

        290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

        SHA512

        2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

        Download Submit

      • \Users\Admin\AppData\Local\Temp\140010.tmp
        Filesize

        519.5MB

        MD5

        8369f8222def57832e649eb39fd2e1cb

        SHA1

        d42f215ae5af681e8e0125c7a8399759803f6f01

        SHA256

        290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

        SHA512

        2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

        Download Submit

      • memory/376-1881-0x0000000000170000-0x0000000000171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/848-95-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-74-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-60-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-62-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-63-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-64-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-66-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-99-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-68-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-70-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-71-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-72-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-73-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-100-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-76-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-77-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-78-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-102-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-81-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-82-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-83-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-85-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-86-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-87-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-88-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-89-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-91-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-92-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-93-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-57-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-96-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-97-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-67-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-59-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-80-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-101-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-103-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-105-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-106-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-108-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-109-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-110-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-112-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-113-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-114-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-116-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-117-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-118-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-119-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-115-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-111-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-107-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-104-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-98-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-94-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-90-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-84-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-79-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-75-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-69-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-65-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-61-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-1605-0x0000000006300000-0x0000000006301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/848-1887-0x0000000006300000-0x0000000006301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/848-58-0x0000000000560000-0x0000000000660000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/848-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1944-1880-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

        Download