Overview

overview

10

Static

static

8

29513950.doc

windows7-x64

10

29513950.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 10:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    29513950.doc

  • Size

    525.4MB

  • MD5

    322f2027c745ee42393251d6fc551d1e

  • SHA1

    483b36f1816e938de6089afc1ad8d863ed1e8d7f

  • SHA256

    7b30882d98594b6d5222c6f548ff1b0802da5fdf54fdd7795393ef4c80ed2956

  • SHA512

    0f342c1c035622bb94d2a52dc899de472209aeac023c8e65cf036741e427a012a291c9c905f65173f5475f53de80ac68104badcd3832d74f01277f32c750c06c

  • SSDEEP

    6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\29513950.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1712
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\114824.tmp"
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Users\Admin\AppData\Local\Temp\114824.tmp"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BXcNNZJJKQsNMuEa\YEttm.dll"
            4⤵
              PID:1732

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\114824.tmp
        Filesize

        500.5MB

        MD5

        196a0b2343e42f7920d3a2318fff4587

        SHA1

        7b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0

        SHA256

        5aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d

        SHA512

        981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\114829.zip
        Filesize

        807KB

        MD5

        9f8ab3024b733342e0f38fc956828ab1

        SHA1

        ed09d2b2b6f92afeba2dbf6a6a6a014842367035

        SHA256

        239b469c60e26cf5c3e65733829a345965b2fbc36003b1db03bae491289d53e8

        SHA512

        0effbd408a99523dc9270aa2e2ac1a2c9681905e5f648a65b926ada52863642862c202d5a57c5762de3e4b5e627bee268b41af7c7d877121d0e04ca97876c8bd

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        cdb4521a0f64e0d21918346b656124ff

        SHA1

        11bbdcad3c8a670478feaa0ac300c9a219f91c28

        SHA256

        d69d3bce75c4df82b6dee755708aeff0a6f2d7f956a057e8b8828fa5ec6f0a7d

        SHA512

        04818b4120c129d6000a2c9e96857f8f50d7910ce6674b47150218e0d6a664fcb488b71e581f5193d4121ef6d3f78216d36432c1ccb4f8c8a4ed7ae98f80267b

        Download Submit
      • \Users\Admin\AppData\Local\Temp\114824.tmp
        Filesize

        500.5MB

        MD5

        196a0b2343e42f7920d3a2318fff4587

        SHA1

        7b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0

        SHA256

        5aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d

        SHA512

        981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489

        Download Submit
      • \Users\Admin\AppData\Local\Temp\114824.tmp
        Filesize

        500.5MB

        MD5

        196a0b2343e42f7920d3a2318fff4587

        SHA1

        7b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0

        SHA256

        5aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d

        SHA512

        981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489

        Download Submit
      • memory/1732-1741-0x0000000000190000-0x0000000000191000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-88-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-1486-0x0000000006AC0000-0x0000000006AC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-61-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-62-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-63-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-64-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-66-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-67-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-68-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-69-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-91-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-65-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-71-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-72-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-73-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-74-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-75-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-76-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-77-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-78-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-79-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-80-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-81-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-82-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-83-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-85-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-86-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-87-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-59-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-84-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-58-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-60-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-70-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-92-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-93-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-94-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-95-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-96-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-97-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-98-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-99-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-100-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-101-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-102-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-103-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-104-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-105-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-106-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-107-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-109-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-110-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-111-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-108-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-113-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-114-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-115-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-112-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-116-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-117-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-90-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-1740-0x0000000006AC0000-0x0000000006AC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1928-89-0x0000000000330000-0x0000000000430000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1940-1739-0x0000000000120000-0x0000000000121000-memory.dmp
        Filesize

        4KB

        Download