edfd8e518a46b0fde90bf7c2276dd64107a2e09b360cf02f4ffd03a6e6e42d0b

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract - Mar-09-2023.doc
Size

522.3MB
MD5

31f97ce2bbc58266f6eb92213f1a2454
SHA1

3be2b2eb3215d451dc475d63048eee889da48cbc
SHA256

62ab0b86d0eda61c16827847de2edf4920558f8e4c6b63eb720a09e6dea6f734
SHA512

a1c36524b14f633d2346b369ecc07b23a549793c842f50452d3189218cad32bf871113368a98c531f5575e041affe76f2c144875f9cf378e39378495ff6393f7
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	656	1084	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE
1084 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1084 WINWORD.EXE
1084 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1084	WINWORD.EXE

pid	process
1084	WINWORD.EXE
1084	WINWORD.EXE

pid	process
1084	WINWORD.EXE
1084	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Contract - Mar-09-2023.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132039.tmp"
2⤵
- Process spawned unexpected child process
PID:656

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\132039.tmp"
3⤵
PID:580

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BAMRpvzQOeh\jgIR.dll"
4⤵
PID:556

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\132039.tmp

Filesize
504.1MB

MD5
0a9a68f2b7f83de7d33f3d27b379d8dd

SHA1
78053a852e6b7a5d76d92a1e2d164df04205618d

SHA256
be8ee37126a787c143124fffe77169d9a8f8dd3815b85a24c69e92c739a6d48c

SHA512
67e07119809cc55b9ffed39cf7b5880615a9200c3100f7d27bbeb9ad14bfdb42ad7779bd29e8d998c7d2f03a2f9d0a1c28bda0ae8fb00d11c7e26b6480ba7762

Download Submit
C:\Users\Admin\AppData\Local\Temp\132045.zip

Filesize
804KB

MD5
7821adc2f937cd7f7f6fc3499ceda7c3

SHA1
5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

SHA256
95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

SHA512
f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
51da5bdef211ed5e63f2768c0272b896

SHA1
04610842be0831cf75d19c6ec27db191885ec85c

SHA256
a5e94cb90bedc6f9362be287a9f35b4c634f76ef0b6f1adf5496e6b4b0f0eb80

SHA512
bafcf35453841beb5e04e8b0ad306699f822cebed1796bcbcde54d03ed0f0213f4365c31a7d5c43a19bce4a281f4d8485c72100e66ee968d1bc54df958f21420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\132039.tmp

Filesize
519.5MB

MD5
8369f8222def57832e649eb39fd2e1cb

SHA1
d42f215ae5af681e8e0125c7a8399759803f6f01

SHA256
290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

SHA512
2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

Download Submit
\Users\Admin\AppData\Local\Temp\132039.tmp

Filesize
506.8MB

MD5
5d27f6145bb74ab21935ff606edb8464

SHA1
278cb2e0ef28598f00fe7242695a0f920ff56318

SHA256
f74b0c769c19e64e22de1c4bc1edfa869ca55098930b54a6f033163fa05c8744

SHA512
bfea7de2dace95c4bf0e4e33cc23c6209b116584724a24ebeaa9b04895e8b32a7b2e56381df93c93aead89e1c9a69cbaf25436f49e98fa6b9c5636e6435ebdb1

Download Submit
memory/556-1886-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/580-1880-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1084-101-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-106-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-83-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-84-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-85-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-86-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-88-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-87-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-90-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-91-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-93-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-95-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-94-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-92-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-96-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-97-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-99-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-100-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-81-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-103-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-104-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-105-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-102-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-82-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-108-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-109-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-107-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-110-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-112-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-113-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-114-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-115-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-116-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-117-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-118-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-119-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-120-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-111-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-98-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-89-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-145-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-143-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-1605-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1084-1885-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1084-80-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-79-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1084-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download