011321e19137791d75565fa6381b42277ae7654ce86ae940d783d9a959f6c5ef

Analysis

max time kernel
33s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59_125804.doc
Size

540.3MB
MD5

5eb04eeef21117669ad8de41e3b7b1cc
SHA1

2afb73cb3ea43fb3e81f88929a0f9ef621d5175c
SHA256

5b3ff8c7ef3e5a1f2807c561e748f4bfbf9a7e046acf80a761bc6e14428f6b35
SHA512

f15879ce7f4199971b03b741e8e379b43ae7f9afaa377870688c5859f24cc98b413e767c302f8066c5d5b58afadebb505d1c1ecdbed726038255cf74193c6f25
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1964	1104	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1104 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1104 WINWORD.EXE
1104 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1104 WINWORD.EXE
1104 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1104	WINWORD.EXE

pid	process
1104	WINWORD.EXE
1104	WINWORD.EXE

pid	process
1104	WINWORD.EXE
1104	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\59_125804.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\133843.tmp"
2⤵
- Process spawned unexpected child process
PID:1964

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\133843.tmp"
3⤵
PID:2008

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PTFRgiDIZhGxeNeAS\rZbNAimvzpWHFn.dll"
4⤵
PID:1460

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\133843.tmp

Filesize
446.1MB

MD5
25733dd207a7c0c6adc3d95295e1e2d8

SHA1
b107cb17bf6cdeb31e09e8150970e856b8802c93

SHA256
04f3376408f3b5167880debbe744e2e61a03347c111b65eb61c5e3c30bff59c8

SHA512
a321cf5e35fdd5b4b0b8ea7eee8a7dc04cf4321af2b71e2e8e1a33fe22e6d90d908935e93b18988493047845002dbf271ca7408024e3420163b6c7ecad79fc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\133850.zip

Filesize
804KB

MD5
7821adc2f937cd7f7f6fc3499ceda7c3

SHA1
5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

SHA256
95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

SHA512
f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
38eaad63055d4406ab4941d5eb02f9c8

SHA1
c5663521aad9439d994e89f84d75ffefb1e1642b

SHA256
94ba0ebfc73f5b4f31e7826f278528d12188c006d13238a8264f234032bab932

SHA512
815a7f19898c688ef3d2a4588e5be291b0aaa0d8de6c295ca76e25c32946e955e87f01012e8fbc8727281309848b41d689c08eb77766f0ae7b2a5c5174b2a8b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\133843.tmp

Filesize
496.4MB

MD5
1d2a834d69da5b42940645217f411155

SHA1
9062fff93a8aeb9803055106767ab8b5aa13a9ac

SHA256
b97e52ba63086d06156d5664abe5cbd9e09257368014ff7085d29e487aae9f54

SHA512
5ce28bfd5ec2c27fb569e91c86fc71cb4d1452a302c35bba04ab7575e0930feb72d61459505e7d5fbaf1c1ab014697df8b9363fa670acc65dfbbb0bb3eb47dac

Download Submit
\Users\Admin\AppData\Local\Temp\133843.tmp

Filesize
519.5MB

MD5
8369f8222def57832e649eb39fd2e1cb

SHA1
d42f215ae5af681e8e0125c7a8399759803f6f01

SHA256
290192ceb0b157166d9ae46d4d8980ea2840e91b97411c49dba08da45125e429

SHA512
2e9a47cdddc536cd455fa42774bf55d193aea100aa61adaf20f155f9199132b014da2c19327b984eb09537170d40af59fde81396aea3228cf767d31fa42732e6

Download Submit
memory/1104-91-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-70-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-59-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-60-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-62-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-63-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-64-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-65-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-61-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-66-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-67-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-68-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-69-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-96-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-71-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-73-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-75-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-77-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-79-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-80-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-78-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-82-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-83-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-84-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-98-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-87-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-88-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-89-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-90-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-86-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-57-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-92-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-103-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-58-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-85-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-97-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-99-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-100-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-102-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-101-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-81-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-104-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-107-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-106-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-109-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-108-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-111-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-115-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-114-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-116-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-117-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-118-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-119-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-113-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-112-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-110-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-105-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-95-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-94-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-93-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-76-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-74-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-72-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1104-1605-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1104-1895-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1104-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1460-1896-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2008-1880-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download