Overview

overview

10

Static

static

8

DATOS_0973.doc

windows7-x64

10

DATOS_0973.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-03-2023 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DATOS_0973.doc

  • Size

    507.3MB

  • MD5

    2b2c491813fa283bcae934cf29381dc4

  • SHA1

    53edd6c15f10e5eceb3aeb231909110ba7bdccab

  • SHA256

    e22072d225a264695a9a3ad92e21c0325a4a49e310c4720627c7da5545ef4e92

  • SHA512

    0fbe386067d285aa0e9459dc97443fccc4bcf6a2078ad78e6a7d09315ef3996017379e648dcdd63d7a928bb28aa2698e02a02d46530b3f169147eb3cd1d55040

  • SSDEEP

    3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DATOS_0973.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\184655.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:696
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\184655.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XPPUgRswaQG\cjUgkKjOD.dll"
          4⤵
            PID:2020
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1460

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\184655.tmp
        Filesize

        532.5MB

        MD5

        496cb93dad84451262e6731fc58ff7ea

        SHA1

        faf24806e9074f83acbdecb909523f56554b2d06

        SHA256

        65afbb76be88d23dddf708d3a4a748286ad4e3b5344fcce4ea8391ba58ed98ac

        SHA512

        4100bdac6db42a42ff2c7da6542732fb0f2dd4a624b033b7a87670ba974ee423da6a0728e7c7baebec6c8e6be26a565904ce9c9d545d39a9e531b9834f2c7dfb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\184658.zip
        Filesize

        817KB

        MD5

        bbbafd0396a4860db8c0badc26a76af3

        SHA1

        dc6069aafecbd34dd519ccee1a76dbe464b234e7

        SHA256

        2756678f1865dead86ac8787fcc85486dfa31d886b57bcf77473f73234207f72

        SHA512

        1d6b93ebc2236553b26417b2bb42e116d2c7eb95428e92cff91eaf037239442eeefaaeb72c3b567776759726eab7ed3dc5bc8c45011232e5be08e5a3d47ceee4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        3ff994494eb4747f58de9b7a6982e5bc

        SHA1

        45c931e04f5a3826b11b4b791f318c524fb73c94

        SHA256

        775704c2ad3a5f6073b5369db61c5e28c8b9b2520fd802836a4af10f5c02bd70

        SHA512

        4c99e10ddcb9ff96217598c4138d91baad6cf7f5fb7417e4923664fe518782e631d56f10c36b428d0d4c40b6e9d799608e496bdd1ec1c5f63eada905668c5506

        Download Submit
      • \Users\Admin\AppData\Local\Temp\184655.tmp
        Filesize

        532.5MB

        MD5

        496cb93dad84451262e6731fc58ff7ea

        SHA1

        faf24806e9074f83acbdecb909523f56554b2d06

        SHA256

        65afbb76be88d23dddf708d3a4a748286ad4e3b5344fcce4ea8391ba58ed98ac

        SHA512

        4100bdac6db42a42ff2c7da6542732fb0f2dd4a624b033b7a87670ba974ee423da6a0728e7c7baebec6c8e6be26a565904ce9c9d545d39a9e531b9834f2c7dfb

        Download Submit
      • \Users\Admin\AppData\Local\Temp\184655.tmp
        Filesize

        532.5MB

        MD5

        496cb93dad84451262e6731fc58ff7ea

        SHA1

        faf24806e9074f83acbdecb909523f56554b2d06

        SHA256

        65afbb76be88d23dddf708d3a4a748286ad4e3b5344fcce4ea8391ba58ed98ac

        SHA512

        4100bdac6db42a42ff2c7da6542732fb0f2dd4a624b033b7a87670ba974ee423da6a0728e7c7baebec6c8e6be26a565904ce9c9d545d39a9e531b9834f2c7dfb

        Download Submit
      • memory/1812-1768-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1816-85-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-70-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-61-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-60-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-59-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-88-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-63-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-64-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-65-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-66-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-67-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-68-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-69-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-90-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-71-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-72-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-74-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-73-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-75-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-76-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-77-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-78-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-79-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-80-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-81-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-91-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-83-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-84-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-57-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-86-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-87-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-89-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-62-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-58-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-82-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-92-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-93-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-94-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-97-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-95-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-96-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-98-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-100-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-99-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-102-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-103-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-101-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-107-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-108-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-106-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-105-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-104-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-112-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-113-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-111-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-110-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-109-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-114-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-115-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-116-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-117-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1816-1509-0x0000000006070000-0x0000000006071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1816-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1816-1775-0x0000000006070000-0x0000000006071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2020-1774-0x0000000000140000-0x0000000000141000-memory.dmp
        Filesize

        4KB

        Download