89ec82c194a3d16c389111e704226514b01ee5f118e663612091b4d5ca59cc78

General

Target

2023-03-08_1254.doc
Size

515.3MB
MD5

56fa3a6a45a6c48a6582c8ce100cb094
SHA1

79fa05d995a6dab74a6b85259ad83533fb4ecd08
SHA256

b4337a636049658bd281de947f0357e33efa17f3f80c3904d959cf6777df001d
SHA512

c65a4eab76532c4ca48eefe5814affc614b990eb2eac3e7cbcfe308ef9f0521382c9562be5aed5c338ddb9d761c3da66eda9de4638990c794bd33bc640252b35
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1332	1576	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1576 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1576 WINWORD.EXE
1576 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1576 WINWORD.EXE
1576 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1576	WINWORD.EXE

pid	process
1576	WINWORD.EXE
1576	WINWORD.EXE

pid	process
1576	WINWORD.EXE
1576	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1254.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\104016.tmp"
2⤵
- Process spawned unexpected child process
PID:1332

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\104016.tmp"
3⤵
PID:2016

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WHHQAZPrjtaHtjgbQ\yxUub.dll"
4⤵
PID:1572

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\104016.tmp

Filesize
280.1MB

MD5
acfb255dc45bb287ffb5dfd9c771936e

SHA1
4ec6314e54f19855a2554e1909c69bde2d521f9d

SHA256
cc3d577d4b622566283076d449bdfe45e0c7098f62387f79d446a168ce8d931e

SHA512
1896f4189cf4d14a942bd09652de830d11359c913d6a3693e02cbbeca71c4b69ffbfa4e6c6b326aa5bb2e184141a3c3dfab3565be99f6faf7ef284e543c124c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\104019.zip

Filesize
867KB

MD5
6c839d892fef2f37d973ca28ce5e7a3b

SHA1
175ee07dc770ad81455d1f95152f1ae07e875e0e

SHA256
b2f19314b692f584203e6711e8d54f32b91a7864adbd203a4eaf6785042d47d9

SHA512
18a1ffa1876554a0e7716cbe5d77ce26a373aeb16992986bb8baaece2af502b576d7001a4271ceda09cec6fbbe750c06c8d40d4449ff8b52d01a924a49462af7

Download Submit
\Users\Admin\AppData\Local\Temp\104016.tmp

Filesize
408.0MB

MD5
0d67565720517acb2c8709f9b3947145

SHA1
64012f25e261779fc58b2c2aa5ad52ad47e255eb

SHA256
39783b9bb2167dd71af9b202ecfc3ffb5ab8001af5a8f23ed53f52aa14f8f663

SHA512
3b4cabb6a7421fca8429bb6eab1b5394f2dd35c536b1c49197dcd468e6ceb629f3833650e50c4235a6f92c192084ddcf3894a02f646ef9c551217b842de4d5a5

Download Submit
\Users\Admin\AppData\Local\Temp\104016.tmp

Filesize
504.3MB

MD5
46c7b328641709c13f98fde5165e21af

SHA1
eca023a1466e079832097d71b0f2c324cbb05442

SHA256
b07df04e25732bd7438c75e4df6ed37c22ec4ff0b3ac116193085eb50ee3c053

SHA512
0aea979909e02d334e141da72d58439f4fa1b9a78a19dc3644573ce3ae722280b6365e85ff1aab4c67d6f8e2498f715f43784e8178855729e842c62fb9121540

Download Submit
memory/1572-1271-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1576-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1576-477-0x00000000057B0000-0x00000000058B0000-memory.dmp

Filesize
1024KB

Download
memory/1576-519-0x00000000057B0000-0x00000000058B0000-memory.dmp

Filesize
1024KB

Download
memory/1576-1077-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1576-1270-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/2016-1264-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing