d0e6255ab16f755bd8891fc51c9a35ba203a1d4fdb38fd34f3c7580f8252841c

Analysis

max time kernel
52s
max time network
121s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Copia Fattura.doc
Size

506.3MB
MD5

9c1afe1b563063ea4c5a2b5158ac3dc6
SHA1

6242fbcf8325eeaba07d7bfb739d6eb276d31fc7
SHA256

19ffe678ba37ad6317085f3dfcc05e01aa8d0bf0ae245619dd7f98b023471b76
SHA512

2f39fc302fd23861f3ef0d3af98afb5192ef00b9fc31cf0df217bf47e1e6079032c4c2b340715b588f151b5dc9f9eda5bbc4f61974f45b6bb7a1c37dbe690eae
SSDEEP

6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1896	1980	regsvr32.exe	21

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1980	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Copia Fattura.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\103813.tmp"
  2⤵
  - Process spawned unexpected child process
  PID:1896
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\103813.tmp"
    3⤵
    PID:364
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\NzqhgZdCh\vpxRxhJOeIKfhV.dll"
      4⤵
      PID:1808
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bea64ec96bdce79ec24f702e2ef509a5

SHA1
43674e13d183bf56f4aacd0f3c59d04999f423af

SHA256
27cd3058eff39a771b682f522d659b3a4105aa97c302c9440a93d85622ce74c5

SHA512
d0574e01b7cc23799759623903b726e748b374bd732027ddaf81667106a63c893071fb6c91acbd4102e3fffe02206f391de494a3e3add6d257022117ec7e6093

Download Submit
C:\Users\Admin\AppData\Local\Temp\103813.tmp

Filesize
508.5MB

MD5
9fc9d254571839fbea90938a36516fb6

SHA1
2681756091cf60bec217a26943809f057958695a

SHA256
8ef826ac59d89f5c256bb8b9adba5642b4b9c3e2c2049766e784cb9e6e93a159

SHA512
86132152a3c264b67580fe39b8c7242f36bf31dfeead6eb2cfdfbba1c7756fcc33bb7409b09d1486f19016ff0d3e07895fb0d7be728f0d81244ab2367b34a74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\103841.zip

Filesize
803KB

MD5
ddd7c75f7a0ce4f5c57d1cdc96fdd242

SHA1
8a3b86e0ed30db4e7c33640399ffea5b355c137a

SHA256
b0c0001a2574d9fcc15bb8ee1381badb59b1afcb2947632660c925103175de8e

SHA512
38cd3d87328ba6dd06536d59f95f1b8d40a3a167edd33c71854d5b4d100161eab8fb3007c17db133b9d2a79cf56d34c9e62648e3f73bdfd34100a826ac8a0dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB723.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB8B0.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
\Users\Admin\AppData\Local\Temp\103813.tmp

Filesize
457.3MB

MD5
65bdd8d2575f5db5cb724433c3204fdc

SHA1
745a39a5be014a972f6a9825e6a3f7b142f9f430

SHA256
5ca9cc093f3c89942cfb8dafb5e8b533e1626239b733acb0854f25594dd5ecfd

SHA512
a85dce3b1fcd426ef0be81b7ffa857f3919c613c1dafc68909c098336c9638f65cfd4cab3888df7dd0e720c0dcadad334e8e20ade3075a35efc3ee447a18cd4f

Download Submit
\Users\Admin\AppData\Local\Temp\103813.tmp

Filesize
475.8MB

MD5
8af9dfb5bd3bc3cb7ece764137e91792

SHA1
6454415694c55d72d0f1bd0b7b7d65b621b3a037

SHA256
7883680230814a8b49b0667b9beb8620ca54702c7a583d06bc3f670640936002

SHA512
d84131c1404dc90cb7da0465d6d2451eb19292e0cea99645b6265c135200b3ca76a15c325668d68729889de9024bdef33fda6f1b95e7f6f8320f4a5847715dec

Download Submit
memory/364-1524-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1808-1526-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1980-88-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-95-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-64-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-65-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-66-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-67-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-70-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-69-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-71-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-73-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-74-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-75-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-76-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-78-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-79-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-80-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-82-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-83-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-84-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-86-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-87-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-85-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-62-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-90-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-91-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-92-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-94-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-63-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-93-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-97-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-98-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-99-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-102-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-104-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-103-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-101-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-105-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-100-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-96-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-89-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-81-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-77-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-72-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-68-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-61-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-106-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-107-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-1306-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1980-60-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-58-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-59-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-57-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1980-1525-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download