b32d779478ff4441b049ff17031d47616ac04d6998d6ea4c9a996da50a36737f

Analysis

max time kernel
79s
max time network
114s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-03-2023 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice# 55452732.doc
Size

519.3MB
MD5

2c2dcdefb1ec0181096120afd23c046c
SHA1

9f150a690e4dd441f2e0bae572f89a868bdc2729
SHA256

4659836caf431739d1daf83bed991743fdb150110911fa629a65ea53382d72d3
SHA512

4a34acadebde1c0d84033a87179d7414f06e8d9742bce351845acab22a7d80df33502e610c966f1f9a1ad7b158b54e8ff731fe24aec334c084216b62a7382f06
SSDEEP

3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1004	1712	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1712 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1712 WINWORD.EXE
1712 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1712 WINWORD.EXE
1712 WINWORD.EXE

pid	process
1712	WINWORD.EXE

pid	process
1712	WINWORD.EXE
1712	WINWORD.EXE

pid	process
1712	WINWORD.EXE
1712	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice# 55452732.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\105959.tmp"
2⤵
- Process spawned unexpected child process
PID:1004

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\105959.tmp"
3⤵
PID:1332

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SGHhGbFP\MRDsdntzIQh.dll"
4⤵
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\105959.tmp

Filesize
353.2MB

MD5
8c626cdc3684a1b07d0e2f3bab0eb77a

SHA1
4b0f215d4c509bcbcc7b736817279d87615a12ae

SHA256
80418fee8104ff72aa920d0f8efba61525d252346141a57e7d4ec30e626c5966

SHA512
2860a6da3bfa40c97c2de97dac106734c298f7d37c84ea05143a8e9d0ee4af62be0764e90f0ee7a67fd8aa168018a405c72225bf7ef6ecb2904d7500100cd97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\110049.zip

Filesize
821KB

MD5
f1ec7bd22e219fdb389f5e2a0a8132df

SHA1
fe8cf0aa2da1a147024c82ac45989795e5b467e0

SHA256
8582757782e4048ba84898de0953c7c9710d84c2e764d1fca8b1d393c436dbc8

SHA512
2b77027da8f0811f7cfc3735e579c4fd7e3506d85fa78ad667e88bd43dc0ab376d2b8b0c6aab3d35678810a9ee6e589b93d60aa481239ad3acf91cadc88f4969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
18076b5d1c33850e1a5db087f07b275e

SHA1
6c0ac3b61ff54046bc63ea5032e756f1a0429135

SHA256
1b86686ecdcf3049418fffd9b03ddac6c3d6b3acd54daa629bf84d322b00fd03

SHA512
2ac4ce8c1dfcf483608b425f72a32ed96eb607790ca35b7eaca329fb4da55f6d7ff8f1a7f5a447fe659623449d8eb98f217350e5996652410c5b003aff376d73

Download Submit
\Users\Admin\AppData\Local\Temp\105959.tmp

Filesize
354.2MB

MD5
7a1b9a609cc748387736ceb29b61d18f

SHA1
4605a8b1bc06339940a08b65df841e68b3976ae8

SHA256
c8259729387f9e23f771934d0a8ba761e051cf958a6ec10e951df4487e942519

SHA512
c7ac199ea8c64eb4fe5aa9343f26bb91f46ed41d3b7ba5ac06ece876254c169d26c3a9567d07f5fb3a792df8704e60c71e92352be22a4f262cb2245970161759

Download Submit
\Users\Admin\AppData\Local\Temp\105959.tmp

Filesize
290.3MB

MD5
cc339a449681dada6b69ab2ce89da54f

SHA1
3d5b21fa7c46c0bef2823e3827c5b13b56ecf6e8

SHA256
7f0b8a36dcf7e93970fb67830b0b3e065f94fb549de090381c0f1c52cf98a1d3

SHA512
7bb7996937eb00f985e3039fe021ff90aec44a1999a6381d03dab11f43849dc1e709f986011757a7c667195cc9e57ad1325d1be2cad291b5d7673d23ba5b1240

Download Submit
memory/616-1772-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1332-1771-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1712-86-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1712-60-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-61-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-62-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-63-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-64-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-65-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-66-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-67-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-88-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-68-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-70-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-71-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-72-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-73-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-74-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-75-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-76-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-77-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-78-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-79-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-80-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-81-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-84-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-82-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-83-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-58-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-85-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-87-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-117-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-59-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-69-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-91-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-92-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-93-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-94-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-95-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-96-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-98-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-97-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-99-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-100-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-101-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-102-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-103-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-104-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-105-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-106-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-107-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-108-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-109-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-110-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-111-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-112-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-113-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-114-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-115-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-57-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-90-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-116-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-89-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1712-1509-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1712-1760-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download