5361757e8451b17a5e26007548763f8794827495f8e86dd49b6f5be7086408e4

Analysis

max time kernel
57s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invio documento rif.3726532 del 09.03.2023.doc
Size

548.3MB
MD5

4f2f1cd0d22492311fb31c20c9a8d707
SHA1

775544d082f31f0dd98acfc4f000c557f5454de4
SHA256

5ffb05c0639e3e5262da53181aa9fd19cef75846a07ab64040b04f705596394f
SHA512

af93d1769d23ada2c7c89a84e31c874f81b3cb368c21eb3f617fccb095dee7f4e072673b6e38106089f0622f5c2d2179a8c1e24ccf5a42cd137ed8a9c3579aee
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2044	1400	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1400 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1400 WINWORD.EXE
1400 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1400 WINWORD.EXE
1400 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1400	WINWORD.EXE

pid	process
1400	WINWORD.EXE
1400	WINWORD.EXE

pid	process
1400	WINWORD.EXE
1400	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invio documento rif.3726532 del 09.03.2023.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132211.tmp"
2⤵
- Process spawned unexpected child process
PID:2044

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\132211.tmp"
3⤵
PID:1812

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PkiFFLECLHkyssZ\uGunRmxWiTGlQO.dll"
4⤵
PID:1900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132211.tmp

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\132217.zip

Filesize
816KB

MD5
792875b3dd621781b5012aad4c44316a

SHA1
f6e9e202a8dc07816e2ea06cc00beaf17b8e8bf9

SHA256
03e98dc99228da5853b7a86f72a775df3d496b222ad1201e10abd2d2ef6aafb7

SHA512
f416501c31534f792d2ea9ee56f11a9131db39030561fbb869d8e49594f81aded4da1383de91266218e6a27a562a1e151b452e3bd3babf0e746d30d341253037

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
8c4eef0a59d6ae062a9b60380efe0ca3

SHA1
845c1a661af0b9263a7021e6e48b78a712ac441e

SHA256
fdd1639a7cef952759ca46d20a1a8a8fa52e11132430bcfd2dac3b6408836f75

SHA512
5b73d80a16e0f78c364a53cd27b83e586bfe719b02dbc25fd1c72bede3ce65d9efe4d020fc0eb4c770ec38130d917daec075d68104ce59c2a79db56711ede39a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\132211.tmp

Filesize
520.3MB

MD5
90dcab9b1a0b4954f86f277d74312d83

SHA1
a02d5cc7971581e6cd70f2988951ac72621ca9fe

SHA256
bf99595f9a637f8e5008866016a0cf3c041d8fb02a46c2f07570bf0f65ce92e6

SHA512
0075f3ea10ea9a33ba959d495b7babfe5574ced6b1d06f2a353414d7c46722e905bd957d8c3c9680be8debbee5e8292c49013e533d3d02a488e7b97baabb5278

Download Submit
\Users\Admin\AppData\Local\Temp\132211.tmp

Filesize
531.5MB

MD5
f64544cfce0287fdf9062605f884fc54

SHA1
bd5470a805762a371d72a05e48ba397442e0a8e6

SHA256
83f604c5e5f6856ab2ccfdb732218f87ea0f5704043f5ec384d8fdcc9a85a513

SHA512
2d51dfe44a684305075fc847a652ee04f4bac2900a0f3c677b6a6a70be5201a703a3918993fc994107b66167c7268a1b89b5cf8b53c1fa4af11bff38ef29a7e7

Download Submit
memory/1400-89-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-71-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-59-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-60-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-61-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-62-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-63-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-64-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-66-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-65-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-68-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-67-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-69-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-92-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-70-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-72-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-74-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-75-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-76-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-78-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-80-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-81-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-79-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-82-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-94-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-83-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-85-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-86-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-88-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-90-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-57-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-91-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-102-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-58-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-84-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-96-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-97-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-99-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-100-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-101-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-93-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-106-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-105-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-103-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-107-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-108-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-111-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-110-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-112-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-113-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-114-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-116-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-118-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-119-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-117-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-115-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-109-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-104-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-98-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-95-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-87-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-77-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-73-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/1400-1605-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1400-1880-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1400-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1812-1881-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1900-1888-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download