3643b11034cd76ef14c56d5b1b9f69c1b92b505c8e8ca48df0cb916ad462e271

General

Target

PN9642931951_202303091502.doc
Size

520.2MB
MD5

19b30426e432d8a7d7cf011ccfcbebc7
SHA1

5f721286ccaa5e028c3bded4d6db6065ec3905a9
SHA256

2284acd02af6cfbde6b217b27f1f1a34928daa1e087dad2723dab685768e17f5
SHA512

10f50a4fac0c4ca01d9f4cd6a5d1fb57e3114e1da90f44707160c668620a3f1aa9fbdd2b80b8c62eb985a041326f21dc5dc05ee5cd336d4011da027e7444142c
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

832 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

832 WINWORD.EXE
832 WINWORD.EXE

pid	process
832	WINWORD.EXE

pid	process
832	WINWORD.EXE
832	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PN9642931951_202303091502.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/832-57-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-58-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-59-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-60-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-62-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-61-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-65-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-67-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-70-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-73-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-74-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-77-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-80-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-83-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-84-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-82-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-88-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-81-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-78-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-79-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-76-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-75-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-72-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-71-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-69-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-68-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-66-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-64-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/832-63-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing