7f746e9f809a42c204791b96a39009116181cc8387dd1b9a18b5298542259325

Analysis

max time kernel
42s
max time network
131s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5852826951552390283377037368.doc
Size

507.2MB
MD5

9c2c9255706a88618328799742831333
SHA1

eb2a2742492738903fc285513e26d07e004d1d6c
SHA256

09244da710b8530420749d82861548c08e6a775e4f06765e1160756e802d9b47
SHA512

a2e45883139ebef0de551a75be4f62c13ace9a18f905d7f335e1b17b054bc59a48743dd7d26038ee7c1129faa25ef2d37b49506099589fa82e82870b97704545
SSDEEP

3072:vpt3LDPYvrTr3jvZNWGBStinoLVMcXyHtt5YC7EGIuGEMYDDK6:H3AvrTPRUGpmpXqWCoGIuGEMY

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1420	1980	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
1980 WINWORD.EXE

pid	process
1980	WINWORD.EXE

pid	process
1980	WINWORD.EXE

pid	process
1980	WINWORD.EXE
1980	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5852826951552390283377037368.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\075311.tmp"
2⤵
- Process spawned unexpected child process
PID:1420

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\075311.tmp"
3⤵
PID:908

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\GDKiF\fqomr.dll"
4⤵
PID:1904

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ac959ee42a6c1d68f60398cce503ea

SHA1
b3ce58dcf95822642455d19c36795d914343b963

SHA256
e0c3042965b46e12b77e94f421581d97cc5602e7eae66732fb47012a2d9b3a6f

SHA512
ab3f8b58bcbf90a2acfc1d207c377b3c7a2a68ea2b6e6427ced5c1c2f1a3f197c5fde7c55df06982cdc09921a1beb8af9f799b77e815816b72e37d53938c5228

Download Submit
C:\Users\Admin\AppData\Local\Temp\075311.tmp

Filesize
461.2MB

MD5
bdb2b8eea4adc312d5e5c9d353eb3f1b

SHA1
e9a00f15c76c13d34e8cfcadfaed63a611f4caa6

SHA256
094883a9f51af6f78bbd408a9e9bad4345ff489a701b0215949a6c862c33c501

SHA512
0338adaab61e27121d3836c91577dd6abe2e4c9c625ad363c9b6c3a1e01d4bf2d22c5c7e39154695d22ee3f33d32221544aaa50acf9781c78056ced0a480babf

Download Submit
C:\Users\Admin\AppData\Local\Temp\075334.zip

Filesize
833KB

MD5
0b0aa65659ae2951ff20148b036b820e

SHA1
7a7239f7a01fe54b5e14052d536028013a64c95a

SHA256
5684cef3c530b9c5e804bc98b778f628de36efc46e50610b3c6a7fc15580cc3e

SHA512
37f4fb6c3b8953fee3cf6ac12589b99764949fbf26a1a03c8a4cb0db320904b7bbfb17c0f8715918d89c49c3a3588426dabf384bcecea91fa71f25059172f85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab650E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar666C.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
004acff287d17b0028d39108d5c72bc9

SHA1
c07c309360e3aa5649b975debfce2ede5465243e

SHA256
0747409ff82f5217b0b80370a5e0bc7ae01c51c47c95a634c82739a58685ec13

SHA512
e806c71fd56e22d2ec3f517385862ce95adbf36ba5ee1d5c6ce82b53f924f0cff9c1f8c60e9cf5988dddd689e9959a7c756e0878ce29913afcbf12b8e6615296

Download Submit
\Users\Admin\AppData\Local\Temp\075311.tmp

Filesize
485.2MB

MD5
10b08b77d5c1dd112dfb0a52cd1845b9

SHA1
e68c380d8d046bba80c8339fe124bf447ab6ee28

SHA256
953a42e5ba9db1a7a3af465b1a4afd0c394bfc6f41103a7d3d19321e6ab00ef1

SHA512
497eb513f018db8db906fe5d77efff9611848adc19bcbf6e8bf6b78928e09525e2deb1e1802212ef865f7def0da7ac2e569b7a8c4b15528b9bd532b6f2e528b3

Download Submit
\Users\Admin\AppData\Local\Temp\075311.tmp

Filesize
519.6MB

MD5
a54080f6bd4bedb6aab95655b0560c75

SHA1
c19113ce5a14368c9a18d51a614ae1245f233deb

SHA256
68b69aadd374788f85264cc02cd8bd9b69ec12e5cf22c07f65b7204f9e642ff5

SHA512
84f2b17360563cb7bc08a9ed62dd6c75bc7ee68ed4b11f662f1da313c55c6f1c02bc4dd96a42bd05e87da15e081b0f2f0768bd1db8ffda437951e20876894e51

Download Submit
memory/908-965-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1904-973-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1980-66-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-70-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-68-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-71-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-72-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-74-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-75-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-76-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-77-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-79-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-80-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-81-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-82-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-78-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-73-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-69-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-83-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-84-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-111-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-67-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-63-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-65-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-64-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-838-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1980-61-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-62-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-60-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-59-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-966-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1980-58-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/1980-57-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download