f1abbdcb36e1d9a389976e4d5ada0263cad9d9cb2d75319aa0fd2e0e2efaebc5

General

Target

Nuovo documento 2023.03.10.doc
Size

518.3MB
MD5

7b10cc4d02d11262ff3a0827e1ca926f
SHA1

4178ad78b1891dedc2e50d7fbc03f879b345c1d2
SHA256

d3a1c1342a4b6645ede22de755a41b30bc1720863c6f9905cb4aad0dd7492805
SHA512

93832bb4c8737fd4bfab70224019c68833881cb79ec0ca3dee6dd993ea596d345962b63b87d20944f166c52747ba9f55100c9086d80241df6fdd166fa2186808
SSDEEP

6144:jkmCUX1RauEA55axdWFyDDIqqmbwbLUW:omC7uz552AFZqXbwbA

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1420	1528	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1528 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1528 WINWORD.EXE
1528 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1528 WINWORD.EXE
1528 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1528	WINWORD.EXE

pid	process
1528	WINWORD.EXE
1528	WINWORD.EXE

pid	process
1528	WINWORD.EXE
1528	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Nuovo documento 2023.03.10.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\094601.tmp"
2⤵
- Process spawned unexpected child process
PID:1420

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\094601.tmp"
3⤵
PID:1716

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JAkVLNqE\FRwGuwkvVQv.dll"
4⤵
PID:1920

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\094601.tmp

Filesize
322.8MB

MD5
6457a9192ea50053d9df61aad7d2e4c4

SHA1
f6d5225818a4918fcb5cc25e71e8559c2a4a2de5

SHA256
5a2a1b5a9134ab2a390b5a9b559d50725b642ceee17efd3f1fdde6d36dae3a0d

SHA512
aa8da924a61efe28dd917df26e451811243ed0c2ed2130ddf936ecaf393c17ecdc52263bba8816106c67b1b1c83c35b753b1314889612ef3300042b271830960

Download Submit
C:\Users\Admin\AppData\Local\Temp\094603.zip

Filesize
809KB

MD5
f780db732dafe3aea7bec6e5b1915dc5

SHA1
a388e7954f76557d5edf4b8315d669fd2e4e7e8c

SHA256
14ee7bb38b78d00530df973d039d0c0586c4fd83e890e0cb63761f4b5baed11d

SHA512
6cc273cf52d6cc767dfa05b6408053ffa695abdaa42684d1fd196e3e43aca9b1395b5954266a8601f34cd52c5d7e559f0bad65dea2b5ac4ea17adf6ce1793f4c

Download Submit
\Users\Admin\AppData\Local\Temp\094601.tmp

Filesize
319.7MB

MD5
2a41f1fd013244e6b308c559379878b7

SHA1
fe43aae7709ded06386b7c3256dbee9b60c90180

SHA256
b5395c8cf6abcaedad2cf336b17fb113fcfbf569b571a2a28628d842ad28c001

SHA512
9d28bb417a406358e1b65b2d8b7f7bf713e08c741269e9370ec674c11f9bdd0d4e5a3072074009cc04e82267c9ae10c5d86d51fcb1c2aedd650e59455754e6e9

Download Submit
\Users\Admin\AppData\Local\Temp\094601.tmp

Filesize
234.8MB

MD5
a2a037aeb6d43dfba5a3b62559cefe52

SHA1
f5c684ac536a0139d7ebe801d466e9e8e5954bb4

SHA256
e603e6aa598f49912cb59a508be61f1d51751aaf349f28a043d5545de1fb6c8d

SHA512
4213c85fe421a8201ba33be1ce77a8f6e8ed0b9cb9703e8b96f8deabf80a15e37fa6d94381f8260962dc3b047a102cff4c455e068932670ce5df1d6fff4c0b59

Download Submit
memory/1528-96-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-99-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-79-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-86-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-85-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-89-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-90-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-88-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-87-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-91-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-93-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-92-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-94-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-95-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1528-97-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-98-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-80-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-100-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-101-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-103-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-102-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-104-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-105-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-128-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-177-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-81-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-1245-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/1528-82-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-84-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-83-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1528-1463-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/1716-1458-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing