90768858560bc255898fccf87141a32c8536f8f2eab829bdd607a52ce4c08266

Analysis

max time kernel
49s
max time network
47s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INFO_51.doc
Size

545.4MB
MD5

f0cb9379f2e06fac5d274c45bf314b29
SHA1

3d6aa9460f01ff18ccc15a79feb74d5fdb689367
SHA256

f1302aa30d6ac7a0ff628f2b795104badee29b61f256d71a246dcac7ae799a3d
SHA512

69f9bbb52772be9bf9477085ea9a20c526cbca35e0e2ed97b4c277758083e5c53662719db1c8c5455f29aac515dc6f85cdff7a0c0e2fb0bb800961203dbce2d8
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1348	1928	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1928 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1928 WINWORD.EXE
1928 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1928 WINWORD.EXE
1928 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1928	WINWORD.EXE

pid	process
1928	WINWORD.EXE
1928	WINWORD.EXE

pid	process
1928	WINWORD.EXE
1928	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1928 wrote to memory of 876	1928	WINWORD.EXE	splwow64.exe
PID 1928 wrote to memory of 876	1928	WINWORD.EXE	splwow64.exe
PID 1928 wrote to memory of 876	1928	WINWORD.EXE	splwow64.exe
PID 1928 wrote to memory of 876	1928	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INFO_51.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:876

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\130339.tmp"
2⤵
- Process spawned unexpected child process
PID:1348

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\130339.tmp"
3⤵
PID:1736

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VPdWGhFICLpTCxiGa\sXTS.dll"
4⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\130339.tmp
Filesize
527.5MB

MD5
6ea930620e66f8cb84e1774d0a6c0b2d

SHA1
748404bba874a143cdce8af9422fda733993dc89

SHA256
bd55dcc2e45d2274f6575f862f7fb7f52a898e44b4910cdbb4bd71a44620b44a

SHA512
6c62986b29171f4d5b1616e103c711d51120677e796a90eed83a5823835f63bf7aa4d4260f92597856b39d8afd39a8ff7be941ca9b1e2750529d4c1f405a2c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\130403.zip
Filesize
834KB

MD5
cf86a720a67639874a9b3b8de8e144a7

SHA1
faf52019395bd4c8f30c39564712b0fce0ada472

SHA256
2c7dfb631c1482ee65c1b2af2eba544f7efe1724fe8e39c9bb2ec86bbd77fdd2

SHA512
15ca8279ab68fa5f2ee175641cd5570f8fe6b4195d62a3420cd02c157614af4d395e9a1e2ea57ce9229f09fcacf1a99ccc19d44ae06627b0302926643c5c0008

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
b3aeb895ba8e13e8d9fa57cae300a615

SHA1
a3e81826977a052e6db204df77e321fbb304715f

SHA256
0bbd022807ba8596ead2dd7a8d43f730acd536d9b09cd32af213700e07954e16

SHA512
67dd441b903d0a084c13e3f4294bc3fdc84433da8d26eb48c8cdac2999683ecd377f383f36f1a0e527e7dcc4714c1028a2e9b6b92ad553309e6d39c2b8f38576

Download Submit
\Users\Admin\AppData\Local\Temp\130339.tmp
Filesize
527.5MB

MD5
6ea930620e66f8cb84e1774d0a6c0b2d

SHA1
748404bba874a143cdce8af9422fda733993dc89

SHA256
bd55dcc2e45d2274f6575f862f7fb7f52a898e44b4910cdbb4bd71a44620b44a

SHA512
6c62986b29171f4d5b1616e103c711d51120677e796a90eed83a5823835f63bf7aa4d4260f92597856b39d8afd39a8ff7be941ca9b1e2750529d4c1f405a2c18

Download Submit
\Users\Admin\AppData\Local\Temp\130339.tmp
Filesize
497.4MB

MD5
c161b0771c6e7f48fe5e9c1f2b3faa83

SHA1
3cb0c082ed18f0b5dd6bd6449b9f2a1d7ce6a00a

SHA256
ca6445e520d597d14325a5a7c2fc7f08172791cdfb9e2d60a8f70c0c84e26f2a

SHA512
4c380c590b48b3820dc5f6fd5ebf0cc55ab447ecdf935b1ec62114f8f5bdee39f1ce345d1682a3d095823edf2b3348f415bbb24efdfd2385a540eb6485b8b533

Download Submit
memory/1124-1745-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1736-1739-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1928-86-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-1486-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/1928-62-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-63-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-58-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-65-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-66-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-67-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-68-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-64-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-69-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-70-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-71-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-91-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-74-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-75-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-72-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-76-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-77-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-78-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-79-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-80-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-81-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-82-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-85-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-84-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-83-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-60-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-87-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-90-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-88-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-61-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-73-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-94-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-93-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-95-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-96-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-98-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-97-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-92-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-99-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-100-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-101-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-102-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-103-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-104-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-107-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-106-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-108-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-109-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-110-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-111-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-112-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-113-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-105-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-116-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-59-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-115-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-114-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-117-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-89-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1928-1744-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/1928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download