34d2dcf1d040ef6a492681dd2b6389f2658f905559ae38319444d7f293ec88de

Analysis

max time kernel
29s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC_867991348.doc
Size

522.4MB
MD5

6abed631921d3eafd17c85ae7eb41bc1
SHA1

2fc878888ca81cf16cf37dd7337c8fee53df00f8
SHA256

d6245767403d271e6eff94cbab75f3262836d54e2b177f742f9f86d91891b497
SHA512

243db059b98351859f81b39cebac10c2499a2b3f529fc2f9ec8f1b7f85cfb5fa871697246b94247ba00383ea11226f4ce717416dab40cac101caf30ba506ce32
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1232	1496	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
1496 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1496 WINWORD.EXE
1496 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1496	WINWORD.EXE

pid	process
1496	WINWORD.EXE
1496	WINWORD.EXE

pid	process
1496	WINWORD.EXE
1496	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1496 wrote to memory of 1340	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1340	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1340	1496	WINWORD.EXE	splwow64.exe
PID 1496 wrote to memory of 1340	1496	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DOC_867991348.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1340

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\125729.tmp"
2⤵
- Process spawned unexpected child process
PID:1232

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\125729.tmp"
3⤵
PID:240

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JzJNwmuijlh\wMtkbhMtlbMZTA.dll"
4⤵
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\125729.tmp
Filesize
546.5MB

MD5
80ff1e52294ff139fb019b55a2b657fd

SHA1
5dfda0c36d21b80981303bd0ac3f47632b4b0681

SHA256
66e9d7c30408d296fc816e0ff1fc8f8c86c64913924f7699032033cd2f4c5922

SHA512
53f7920a4191423a9f0864a6fbaed876f90973e944d49c355b40c3f2bfa1ef4eb5774e763347f09e3a784b862e706518f77479831ac74964e05d0ce67445947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\125734.zip
Filesize
853KB

MD5
72535edcb81fcdd329fc51362e166d38

SHA1
228a6934345e168c726f2b8e2a77e49d0da483c2

SHA256
41a2fce0c0727712ff41c0428889c56ea725ef1badd54e09beade0799bfd1173

SHA512
16e28803a6d6adda7d32a49c27f89550cc7dd270366eb50e63a3a9d724278328a5adfd230c6d3c25bfd3e306194573afafeaa7215ec38a719184485b0e1b2603

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
3327aa2c44f59571eb1ed912bb2c004e

SHA1
ed4f845a62b4d070fb8a72821a710f597cb8fdbd

SHA256
8b3a9c17d7b5eef9c8d706f456b06b9cb2db560b6ac198b05af29e214221dbce

SHA512
9d51dedd7665eef6094766b3330f60db60318bca35c83be0cad8a93da152f3cbfcd2ce315ac876fc8b47e4c7c8936abe145bece41e6741721e5f19ac4c0466b5

Download Submit
\Users\Admin\AppData\Local\Temp\125729.tmp
Filesize
546.5MB

MD5
80ff1e52294ff139fb019b55a2b657fd

SHA1
5dfda0c36d21b80981303bd0ac3f47632b4b0681

SHA256
66e9d7c30408d296fc816e0ff1fc8f8c86c64913924f7699032033cd2f4c5922

SHA512
53f7920a4191423a9f0864a6fbaed876f90973e944d49c355b40c3f2bfa1ef4eb5774e763347f09e3a784b862e706518f77479831ac74964e05d0ce67445947d

Download Submit
\Users\Admin\AppData\Local\Temp\125729.tmp
Filesize
542.3MB

MD5
5e100d86428cf3b879ddfe1c51226a2e

SHA1
e5d3b5cfee9f51274045c78c1fba7a38734c987a

SHA256
88b7c47a231dfdd79fb9fb09ebf6b6f5a41eabea5453dfa89dafcc2c610dc965

SHA512
3ffbd16a62b1ad5872bdf77583cb9e42743d9ac579274b5c64bb7feb201791f83115a71e1b5ed2566dec4f1de227a601d14182f0f7ddf4296fb6d4bab68c9289

Download Submit
memory/240-1739-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1156-1745-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1496-86-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-1744-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1496-61-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-62-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-63-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-64-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-65-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-66-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-67-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-68-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-69-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-70-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-71-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-88-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-73-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-74-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-75-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-76-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-77-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-78-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-81-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-82-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-80-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-79-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-83-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-84-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-85-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-59-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-89-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-90-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-91-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-60-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-72-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-94-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-93-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-95-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-96-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-98-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-99-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-101-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-100-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-97-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-87-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-102-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-106-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-105-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-104-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-107-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-108-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-109-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-103-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-110-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-111-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-113-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-112-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-117-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-116-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-115-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-114-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-1486-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/1496-92-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-58-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1496-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download