Resubmissions
14-03-2023 10:34
230314-mmgaksgh5z 814-03-2023 10:29
230314-mh7xqsgh4w 814-03-2023 10:24
230314-mfw3fsgh2z 10Analysis
-
max time kernel
112s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 10:24
General
-
Target
14032023.doc
-
Size
514.4MB
-
MD5
de985fab7d0e11eff3ae0a1044868092
-
SHA1
3fce21270bc18ac725fc843e60dcd356c2ddc542
-
SHA256
1c50a2316e7d9a3710d705c7f6b26b87a6e1b16175925c66591c476d8482eaea
-
SHA512
cd9dbac7913ba63482700a338c76ca769354e070ae3654fba42080aaf8d12459450acb3fbe05cfadaadb83943945019218fe79c95fddd77587352d01d9499076
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14032023.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\112552.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\112552.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BYkICPWoSWiF\MgfVpcrj.dll"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\112552.tmpFilesize
535.5MB
MD5dc11f5b33804d7991dcf9a1a6a438bd5
SHA1a498aff2629ef6a731079f971b69f44b828aa1f0
SHA2560d908451da28a89bfd9397637349eee16892055fdaae2c8778c38e5e5d646c30
SHA512e00dc941c6cb882c66d48bd30e8682ee98324b142b0352c0a91b7e4b8e5c76ff222f6de950feefdaa81b2a33d1350d22dc92b53190b2609f73a2e1dd4452ba75
-
C:\Users\Admin\AppData\Local\Temp\112558.zipFilesize
842KB
MD52e76aa8b66e2e738aaf2b77afded17c0
SHA1cc83f22bd257b81cf04de0c5079761f82507b1d7
SHA2561e986cbf3a5c969d08121ad171978ef595163bdbf8d209d3218206aaf50be918
SHA512500d0334b853b1e3581ed79e4fdf741c321728dcde78ad9696fe2db80ed828369a52bd7e517af56fa886bf6a2611073b66e38f062f48fdf91ed14f5f84eff6fb
-
\Users\Admin\AppData\Local\Temp\112552.tmpFilesize
535.5MB
MD5dc11f5b33804d7991dcf9a1a6a438bd5
SHA1a498aff2629ef6a731079f971b69f44b828aa1f0
SHA2560d908451da28a89bfd9397637349eee16892055fdaae2c8778c38e5e5d646c30
SHA512e00dc941c6cb882c66d48bd30e8682ee98324b142b0352c0a91b7e4b8e5c76ff222f6de950feefdaa81b2a33d1350d22dc92b53190b2609f73a2e1dd4452ba75
-
\Users\Admin\AppData\Local\Temp\112552.tmpFilesize
504.6MB
MD538eae39fcb0470f21ea64a1db31756e3
SHA14a51eb0117dc5ec99bfd5082512265b775fe5468
SHA256c0c5e76f7697d9674bd4a84903b621fa2fa7688cd5b07dd6653e4310778c9dcf
SHA51269c0819ecbf745ce4aba318ead8ea6a6bdf1b863adfe5f7eec79cad647c97ee1b6d95d23572689f7b4755aed0954e059a6af68c8f0a61d3501551b68833dfa67
-
memory/112-1745-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/992-1738-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1976-86-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-105-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-60-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-62-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-63-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-64-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-61-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-65-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-66-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-68-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-69-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-70-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-67-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-90-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-72-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-73-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-74-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-75-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-76-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-77-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-78-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-79-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-80-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-81-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-82-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-83-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-84-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-85-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-58-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-87-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-88-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-59-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-71-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-91-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-92-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-93-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-94-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-95-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-96-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-97-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-98-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-99-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-100-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-101-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-102-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-103-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-104-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-107-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-106-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-109-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-110-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-112-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-113-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-114-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-115-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-116-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-117-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-111-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1976-108-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-89-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1976-1481-0x00000000069F0000-0x00000000069F1000-memory.dmpFilesize
4KB
-
memory/1976-1732-0x00000000069F0000-0x00000000069F1000-memory.dmpFilesize
4KB