41d18cf14145a2437afb9d093abec8ac4297cd06f7d56992f5cee74ff4d596f2

Analysis

max time kernel
25s
max time network
96s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
09-03-2023 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DATOS_0973.doc
Size

507.3MB
MD5

2b2c491813fa283bcae934cf29381dc4
SHA1

53edd6c15f10e5eceb3aeb231909110ba7bdccab
SHA256

e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92
SHA512

0fbe386067d285aa0e9459dc97443fccc4bcf6a2078ad78e6a7d09315ef3996017379e648dcdd63d7a928bb28aa2698e02a02d46530b3f169147eb3cd1d55040
SSDEEP

3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1000	1716	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1716 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1716 WINWORD.EXE
1716 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1716 WINWORD.EXE
1716 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1716	WINWORD.EXE

pid	process
1716	WINWORD.EXE
1716	WINWORD.EXE

pid	process
1716	WINWORD.EXE
1716	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DATOS_0973.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\122622.tmp"
2⤵
- Process spawned unexpected child process
PID:1000

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\122622.tmp"
3⤵
PID:824

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JRZqohiiBjreKJYEq\UfMXk.dll"
4⤵
PID:1720

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\122622.tmp

Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\122626.zip

Filesize
811KB

MD5
cfb2efb2b8bc087f29e9c23cfad3caa7

SHA1
e0122816f9548649bc023fc5672a79fefb406bdc

SHA256
844b8324628a400e90f51ff91c865dff28141b108e304005a2879759945e83f5

SHA512
c3117199d445e77d5efdf0466cb0c8e11c7d71e8ca70e7bdac7217aaf45ceca35cea9a68fae28d5c68187871c894fb0281410099432e00c9c66d8a50a97166a8

Download Submit
\Users\Admin\AppData\Local\Temp\122622.tmp

Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
\Users\Admin\AppData\Local\Temp\122622.tmp

Filesize
526.5MB

MD5
efd82875faec2cd3b02db62998348753

SHA1
22c09b81bf4a29d1511d464e9a31c553b57bd862

SHA256
65d2fea34b5ead55f85670e48c686de4421954c4fd235f5247d60f43d205114e

SHA512
28927752998ab6f8393363c24bb4545fe8cbb7a76cdd34c62d237831f568a431f571592fcbd9bb669d60ef32f66fa25f8d0c845fddadd498b69302c3f50c0d6b

Download Submit
memory/824-1768-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1716-110-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-85-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-86-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-111-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-87-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-88-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-90-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-91-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-89-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-92-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-112-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-95-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-113-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-100-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-102-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-101-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-103-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-106-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-107-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1716-93-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-84-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-96-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-114-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-116-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-109-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-108-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-115-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-105-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-104-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-147-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-139-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-98-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-99-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-97-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-94-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-83-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-1504-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/1716-82-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-81-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-80-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-79-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/1716-1774-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/1720-1775-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download