8c1ddd2e68bebc1b864c0240bfcbd7a65c53598a8368ce190a940d684d548974

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Opast International.doc
Size

507.3MB
MD5

d6bd3571da478170da80bf363a0a3cc1
SHA1

82354b12002d0af54a41569d9b056dee6485c220
SHA256

c9a0e9945939f2399702491faba916cda43a96749b45c4ad75a94a32dd558ae1
SHA512

a8fb1316a67cd225d4caece153e60e90975ab9aeda82da2cd0ec28f997e5aaec187af962881c796ecaac0744406dcdf40c75adc02757b3c3f5c2d7c04576f834
SSDEEP

6144:QDuxuMOZCBtANveapnaWVgsaNlbfXhoEHC87pnkTnlzIWZ4:18yGZZak8fxJB1e5IWZ4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1380	1984	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
1984 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
1984 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1984	WINWORD.EXE

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Opast International.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\011335.tmp"
2⤵
- Process spawned unexpected child process
PID:1380

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\011335.tmp"
3⤵
PID:964

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MrkAfk\LTxubTiojkSI.dll"
4⤵
PID:1188

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\011335.tmp

Filesize
270.4MB

MD5
e8710885a4a0698493c390658d2db87f

SHA1
1836dbffe7830d560d1672f82922a1b8e39ba3df

SHA256
fe52ac0e16d58258e4ffc9b2ed49511af5f81d41acaa69655feca57da8b57278

SHA512
24d5c1092aa6c07c1005040b8d4bd5df3030bfe73c018f2c4feaa7c52e554ad8224b56f6b1fa289d7b914925af1af66d4a817b77a27c868986650f3be33069db

Download Submit
C:\Users\Admin\AppData\Local\Temp\011343.zip

Filesize
804KB

MD5
7821adc2f937cd7f7f6fc3499ceda7c3

SHA1
5e4c4bd7a474c4bebe39b3741ccbc54e524692d4

SHA256
95944d22d1e39c3d3f1b7f35fc225b81fd937d711a662b219fa94422e78c8f17

SHA512
f850146e6bd3a1a43da0f01db570c8881642aabf3a315db429a1bb2834cfe7baed183f575cd3774948ef5cd485f7a042d580dbb48f77f47a081e967273bb85cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
033cdd152a14212a10387601ae7fad46

SHA1
295a79628846d03c04d73c0ff84688ae04bf88cb

SHA256
1da6a133a35a7b6089bb6e34a0e81ec2d2a182ca64d7a7bf1a8257c76b43caf2

SHA512
c404587b30e67d525e03632c99666e6376fa3bf72d051b097231abe7347978b340dfa5505f812b21ef97046efbfc465eacbe0d20b9d4b1f927b574f0711c64cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\011335.tmp

Filesize
254.6MB

MD5
f443af86d59c842840d65fadec67ee10

SHA1
bf16455f74f85ad19f116a2cc974d221c9a7e43b

SHA256
0dba4a7a0f1ab6d26ddfccb70ffb81fff72751c1f7e6b24fd43a8e05655b543f

SHA512
61a3f04d339a70de7139499b58f247048ae3f5b8b9008c71effae141d833dbd6fa083ef47839511c28513ed42a3d2fc5d1c11c3c7fefbe3a648ee1780b9e4663

Download Submit
\Users\Admin\AppData\Local\Temp\011335.tmp

Filesize
276.4MB

MD5
70835e1e59a4e6826108349bc1418b5c

SHA1
5d2d06f269ce37e600c3f9b71a62f0b401e9bc7a

SHA256
6925c891b3597c34e0248a7267b58234b199954d2751224e7bdecdc4ac94a526

SHA512
2e99a428803156a18c13d7c51299c2fb90201e61b3dfe493c7b76657d09034ae0c2a465c9a0cad871394ddb29a1bb7f3bfd7c88f5633606062826a52699c6bf9

Download Submit
memory/964-1880-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1188-1894-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1984-101-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-80-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-66-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-67-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-68-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-70-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-69-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-72-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-73-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-74-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-75-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-77-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-78-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-114-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-83-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-84-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-86-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-89-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-90-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-91-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-88-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-95-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-96-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-97-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-98-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-99-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-100-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-93-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-64-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-102-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-115-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-110-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-117-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-65-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-107-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-116-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-112-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-113-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-119-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-118-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-111-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-109-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-108-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-105-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-106-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-104-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-103-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-94-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-92-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-87-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-85-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-81-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-82-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-79-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-76-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-71-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-63-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-62-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-59-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-58-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-60-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-61-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-57-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1984-1600-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/1984-1896-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download