Analysis
-
max time kernel
55s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 10:27
General
-
Target
SCAN-14032023.doc
-
Size
536.4MB
-
MD5
0414d3a2420f1a8bed6648457232d6c3
-
SHA1
044bc64da88a7f8c5fab58a16f03b7207edc37d7
-
SHA256
a81f976050152bc57609b467fe5cfa0b7b341776fb948a2fa2577c95fd984fa9
-
SHA512
876018471fbaca599580ab1368d6a12327e734e1ae26a8675d8d7f19281335f11a42f783e21058d456da90b10dabe787833ecae785fac3671ab498850fe97363
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SCAN-14032023.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\112853.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\112853.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\YXWSOnToIjaViFCZZ\sKxMBscWlHNWbS.dll"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\112853.tmpFilesize
267.5MB
MD53425fc240efe1937fe6f58337105f3c5
SHA116f13e92a285051ed96aacd4596beba4c8fb3b04
SHA256f07184d3f3580dd3c45b413fc4fb98b16c0b4f173f624e7e1429b42115aa9f43
SHA5126ad4d4599916b0f31306894f3cfcba5a9665b403d99ad08dca1b34d4a1dcadff30d6d567c04264e69a088dfae7946b97ead9f184306046885bb313699138409f
-
C:\Users\Admin\AppData\Local\Temp\112859.zipFilesize
842KB
MD52e76aa8b66e2e738aaf2b77afded17c0
SHA1cc83f22bd257b81cf04de0c5079761f82507b1d7
SHA2561e986cbf3a5c969d08121ad171978ef595163bdbf8d209d3218206aaf50be918
SHA512500d0334b853b1e3581ed79e4fdf741c321728dcde78ad9696fe2db80ed828369a52bd7e517af56fa886bf6a2611073b66e38f062f48fdf91ed14f5f84eff6fb
-
\Users\Admin\AppData\Local\Temp\112853.tmpFilesize
266.8MB
MD561c1470649176d88ef33ef138fe2d551
SHA1ced17d021a4bd76aad80eff4a2daaaae8c782d54
SHA25622b92094e270e06126c800737fb4f49c6e4777b7a66b9813b0170599b316814f
SHA512693cc778550618bbf6e4a2ef514b77395409ec5430db49eff115b14b717c5729a87bcf2925e8a2dbda4fc711e31e3d170f5231149418385e8633554f619e492b
-
\Users\Admin\AppData\Local\Temp\112853.tmpFilesize
268.1MB
MD51c15a8c56a13d4f211a7a1b82dd2475f
SHA1cbe9f6690ae01c2a1a29bdcf703dbc9f893c395f
SHA25627c3b18319d4f2a7fc88d6ccc05b4112c36420c3eb6010d83be871260a54278c
SHA51260c368776053ee4f400e837b2f3c207b71374e2df6861a6f676caa9874237e86604072839cfae46908f591b227f87df54cf6ff58202605d4797f2a24a4c841bc
-
memory/1032-1739-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1364-117-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-64-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-58-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-60-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-61-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-63-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-66-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-71-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-75-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-74-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-113-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-83-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-88-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-87-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-89-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-91-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-92-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-96-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-98-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-99-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-100-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-97-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-104-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-106-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-107-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-111-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-110-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-114-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-116-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1364-1486-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/1364-59-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-79-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-108-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-109-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-105-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-103-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-101-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-102-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-94-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-95-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-93-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-90-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-86-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-84-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-85-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-82-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-81-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-80-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-78-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-77-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-76-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-73-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-72-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-70-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-69-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-68-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-67-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-65-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-112-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-62-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-115-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/1364-1744-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/1928-1745-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB