cddb9e749edefbdc868a546d1e7dcab73ba704d3c759f085b532642fa2e42de3

Analysis

max time kernel
21s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-03-08_1254.doc
Size

515.3MB
MD5

56fa3a6a45a6c48a6582c8ce100cb094
SHA1

79fa05d995a6dab74a6b85259ad83533fb4ecd08
SHA256

b4337a636049658bd281de947f0357e33efa17f3f80c3904d959cf6777df001d
SHA512

c65a4eab76532c4ca48eefe5814affc614b990eb2eac3e7cbcfe308ef9f0521382c9562be5aed5c338ddb9d761c3da66eda9de4638990c794bd33bc640252b35
SSDEEP

6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1672	1236	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1236 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1236 WINWORD.EXE
1236 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1236 WINWORD.EXE
1236 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1236	WINWORD.EXE

pid	process
1236	WINWORD.EXE
1236	WINWORD.EXE

pid	process
1236	WINWORD.EXE
1236	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1254.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\120120.tmp"
2⤵
- Process spawned unexpected child process
PID:1672

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\120120.tmp"
3⤵
PID:1924

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YjbZCsbUAEuNua\VhDDinnw.dll"
4⤵
PID:664

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\120120.tmp

Filesize
131.2MB

MD5
a7e4e807689b488f3a5393ac7a9baac1

SHA1
de7d6282892dfb5b84e3580a99e6ffd5c151ef37

SHA256
b651a5038cff0057f6db221b03e97132dd23550addaf731ebde0cb97ae9b60af

SHA512
211d02cc7434d49db911df6aa1e1415457e872b7654b8f59c7a43e884a8bc149b34e68a7f07d0229f3257836ceb8c8146c9dd62d4c0796a7ec2cae61d17975d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\120124.zip

Filesize
867KB

MD5
6c839d892fef2f37d973ca28ce5e7a3b

SHA1
175ee07dc770ad81455d1f95152f1ae07e875e0e

SHA256
b2f19314b692f584203e6711e8d54f32b91a7864adbd203a4eaf6785042d47d9

SHA512
18a1ffa1876554a0e7716cbe5d77ce26a373aeb16992986bb8baaece2af502b576d7001a4271ceda09cec6fbbe750c06c8d40d4449ff8b52d01a924a49462af7

Download Submit
\Users\Admin\AppData\Local\Temp\120120.tmp

Filesize
128.1MB

MD5
a684b9d4c53435959f263c4ca196a84d

SHA1
35d3d0ab9f5d09eab27e2bd70eea4d9907076873

SHA256
32332556f81135af5f2c10ec33565e7faa69f0f7c9b293ff4c51939681191323

SHA512
9ddb500499a1cf716cc42d4d558e6880ed83772618304de7dab291ba3c6c9b0669910272e1b26257d156626b761ddcdd5e10b1342acf44cd3c7fe476e1801353

Download Submit
\Users\Admin\AppData\Local\Temp\120120.tmp

Filesize
91.5MB

MD5
177d920cb4b13884e29d7247e655506b

SHA1
f81270eff5d6a21cd303cdd2aa02bf155ef35577

SHA256
58760e5a47e1a4dfd3a8770dd043cd07c4b6290f98a5a74c1625406193c90b82

SHA512
9182654abf26ab021fec29bae37b6d04715bdfee622a70272e044de44396770af1c8f7b1e80bc7d69b44b7fe4e1d5a4dc9046fca1da4e4fe990cc0bf99d424a9

Download Submit
memory/664-1266-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1236-75-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-1077-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1236-59-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-58-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-61-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-60-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-63-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-64-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-62-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-65-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-66-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-67-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-68-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-69-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-71-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-70-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-78-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-72-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-74-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1236-76-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-77-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-80-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-57-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-73-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-82-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-84-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-83-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-81-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-85-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-86-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-87-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-88-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-89-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-91-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-90-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-94-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-95-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-93-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-92-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-96-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-98-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-97-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-99-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-79-0x00000000007A0000-0x00000000008A0000-memory.dmp

Filesize
1024KB

Download
memory/1236-1267-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download