43bb42df26a3464677c81dcac31f942f58915831318c7425304c56243c3555b6

General

Target

Invoice n 0121 14 Mar 23.doc
Size

516.3MB
MD5

df1f5214a1183145cea5e869ac2d0b33
SHA1

006f600a1c3e3dba34e4e8d7f404375a63e7815a
SHA256

bbf8ae7c9146dec0eeafd8792d70d1bcec0f0156ae415db0e00508089f2e9d36
SHA512

b53f31f70901871469d2d5689f8de130ad7eb8fd78f8a7bd7f04354d3b0997716e337903fbe14dffd6de6f23152ddc607127016019613dc01c30e4a2c2240177
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	844	1984	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
1984 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE
1984 WINWORD.EXE

pid	process
1984	WINWORD.EXE

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice n 0121 14 Mar 23.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\124447.tmp"
2⤵
- Process spawned unexpected child process
PID:844

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\124447.tmp"
3⤵
PID:1184

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ShdzlTDKbsYP\vAJAflYTVWsuTnY.dll"
4⤵
PID:1920

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124447.tmp
Filesize
525.5MB

MD5
38399564cc8a616aeb27b22fa716b2ee

SHA1
12a734969136759bff7428f49111f40cb0616ad9

SHA256
a960e87f94fbd518fc65b10f6b3bd6c6ef014533277d7015f26438a589b0403f

SHA512
1cfdf37d3c34ae92946c96e7cfba12cc98230acb434f73701bc0cd6afa5bb7c77b22934cb94ea136b882573ccbc5cfcfb6121a41d70584f1d109075e15c5438e

Download Submit
C:\Users\Admin\AppData\Local\Temp\124515.zip
Filesize
831KB

MD5
c0cdaa24b56f503284fb7cae16f8eb27

SHA1
bcc2570a9a8d1251a9a2a11879987b88a07b3d91

SHA256
19659efa60a2e570b1b4cf506fae989666edb36720dcc978afbe8a53561fd433

SHA512
8662d34401a03d9d0fea8f288a56b0f1dcb8265e14390240c8f8dc2cf9526bcf26895c208d5b09201965076edcc25607600ffc0a435a81a78c5758d52b2cb7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
8e302f691930efb41dbf4f29f1d50014

SHA1
c30a1aae90d84531c594c78656aabad38edc0906

SHA256
63235595c575b6957005654b0fe8f0b0d4081494d150456869076065c16383b0

SHA512
44bdf4b46538250d55d1340553cabb711096e5f0aee6cb367ef8c78c44ed2ab85b556f9c7f79dec0117f78ccd50e12dcf8c56c752868f8da44b48408de341f1c

Download Submit
\Users\Admin\AppData\Local\Temp\124447.tmp
Filesize
517.1MB

MD5
310bf2511bd091cf515e4cea69164cbf

SHA1
cc053be5916e2661facd86e274ac05b4270193c9

SHA256
a2b86720477ff4f11c2e4f3b5eefa9ad05402fb0b921f77ac82bc3b3b2694492

SHA512
c2466005df20d04e632ee2ef7a448eacba530af76b971255f15350c2a90be3ab5f228c7021f1ab1edafec1d074f83b263639076873e9cdfd8498f59f022aaa19

Download Submit
\Users\Admin\AppData\Local\Temp\124447.tmp
Filesize
525.5MB

MD5
38399564cc8a616aeb27b22fa716b2ee

SHA1
12a734969136759bff7428f49111f40cb0616ad9

SHA256
a960e87f94fbd518fc65b10f6b3bd6c6ef014533277d7015f26438a589b0403f

SHA512
1cfdf37d3c34ae92946c96e7cfba12cc98230acb434f73701bc0cd6afa5bb7c77b22934cb94ea136b882573ccbc5cfcfb6121a41d70584f1d109075e15c5438e

Download Submit
memory/1184-1346-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1920-1347-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1984-82-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-85-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-60-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-62-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-61-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-63-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-64-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-66-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-67-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-68-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-69-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-71-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-72-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-73-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-74-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-75-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-77-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-78-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-79-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-80-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-81-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-58-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-86-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-84-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-87-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-59-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-89-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-91-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-90-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-95-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-94-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-96-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-97-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-98-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-99-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-100-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-93-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-92-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-88-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-83-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-76-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-101-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-57-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-70-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-65-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-102-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/1984-1149-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1984-1348-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/1984-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads