Overview

overview

10

Static

static

8

attachment...52.doc

windows7-x64

10

attachment...52.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    attachments-6638165552.doc

  • Size

    509.4MB

  • MD5

    03251ffef5258b063be069d270cfbf7b

  • SHA1

    a7392be41e721a9442eb3ec84b1da92d347312d7

  • SHA256

    b99e698fbc3abfa9f15330fa531333fdc7b2226aee82ad431e5a3d98cf3b5503

  • SHA512

    79156f3fe2b672625fdb323e5b1bc325b14fa3e9efe2ed14fa271e0cda909880b00b73f5958f03e13b66a20cbd072b386fa0ab9ddd0987f0bc28ec5ffc15ed2e

  • SSDEEP

    6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\attachments-6638165552.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1668
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\123936.tmp"
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Users\Admin\AppData\Local\Temp\123936.tmp"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZtUnsFSZ\piOIVUVKtOmbKNIR.dll"
            4⤵
              PID:836

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\123936.tmp
        Filesize

        527.5MB

        MD5

        6ea930620e66f8cb84e1774d0a6c0b2d

        SHA1

        748404bba874a143cdce8af9422fda733993dc89

        SHA256

        bd55dcc2e45d2274f6575f862f7fb7f52a898e44b4910cdbb4bd71a44620b44a

        SHA512

        6c62986b29171f4d5b1616e103c711d51120677e796a90eed83a5823835f63bf7aa4d4260f92597856b39d8afd39a8ff7be941ca9b1e2750529d4c1f405a2c18

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\123941.zip
        Filesize

        834KB

        MD5

        cf86a720a67639874a9b3b8de8e144a7

        SHA1

        faf52019395bd4c8f30c39564712b0fce0ada472

        SHA256

        2c7dfb631c1482ee65c1b2af2eba544f7efe1724fe8e39c9bb2ec86bbd77fdd2

        SHA512

        15ca8279ab68fa5f2ee175641cd5570f8fe6b4195d62a3420cd02c157614af4d395e9a1e2ea57ce9229f09fcacf1a99ccc19d44ae06627b0302926643c5c0008

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        e611b53fd06add95c090208f3464d82a

        SHA1

        d793150e8650b4383d7a0aebb376effad96eda64

        SHA256

        434a0a55872ba655f05cd2ca218474662b605dab4a2177246263f5c560165934

        SHA512

        f64c7efa7edea38845551df36920729a6be488ffe930f16f6e851b1030bdcbd1ccf704121e052183e04c70e8efc37a6ecca1fd0ddaa4ddf89ca04eccae13c08f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\123936.tmp
        Filesize

        527.5MB

        MD5

        6ea930620e66f8cb84e1774d0a6c0b2d

        SHA1

        748404bba874a143cdce8af9422fda733993dc89

        SHA256

        bd55dcc2e45d2274f6575f862f7fb7f52a898e44b4910cdbb4bd71a44620b44a

        SHA512

        6c62986b29171f4d5b1616e103c711d51120677e796a90eed83a5823835f63bf7aa4d4260f92597856b39d8afd39a8ff7be941ca9b1e2750529d4c1f405a2c18

        Download Submit
      • \Users\Admin\AppData\Local\Temp\123936.tmp
        Filesize

        527.5MB

        MD5

        6ea930620e66f8cb84e1774d0a6c0b2d

        SHA1

        748404bba874a143cdce8af9422fda733993dc89

        SHA256

        bd55dcc2e45d2274f6575f862f7fb7f52a898e44b4910cdbb4bd71a44620b44a

        SHA512

        6c62986b29171f4d5b1616e103c711d51120677e796a90eed83a5823835f63bf7aa4d4260f92597856b39d8afd39a8ff7be941ca9b1e2750529d4c1f405a2c18

        Download Submit
      • memory/836-1744-0x0000000000400000-0x0000000000401000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1152-90-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-117-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-60-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-61-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-62-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-63-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-64-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-65-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-66-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-67-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-84-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-69-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-70-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-71-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-72-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-73-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-74-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-75-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-76-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-77-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-78-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-79-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-82-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-81-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-80-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-83-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-86-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-88-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-58-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-89-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-1745-0x00000000069D0000-0x00000000069D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1152-59-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-68-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-91-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-92-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-95-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-94-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-97-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-96-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-93-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-98-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-99-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-101-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-102-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-105-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-107-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-104-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-103-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-100-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-106-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-108-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-110-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-111-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-113-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-114-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-115-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-112-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-109-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-116-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-85-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-1486-0x00000000069D0000-0x00000000069D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1152-87-0x0000000000550000-0x0000000000650000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1152-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1520-1739-0x00000000002A0000-0x00000000002A1000-memory.dmp
        Filesize

        4KB

        Download