Analysis
-
max time kernel
112s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 12:19
General
-
Target
SCAN_6.doc
-
Size
524.4MB
-
MD5
e422ecaa33d71c00c4562e3b931cd7e2
-
SHA1
490e95c3eacabfa6e47f2b9b1a691e15441a5d1d
-
SHA256
7e92fd7a1554ba396bb14db43950b989d2f44155fed73ec12deaf11a01d606af
-
SHA512
ff4af4a054f17d84bb063612496468e6ecc34f73af3020e37c5b19dffa7f904553f2dfe84a8e3aced1db932acec3f027ed1d8c7c246ed2c653660f2ad29c8cb7
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SCAN_6.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132033.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\132033.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\PoIWN\mbYirbccHiunwk.dll"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\132033.tmpFilesize
500.5MB
MD5196a0b2343e42f7920d3a2318fff4587
SHA17b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0
SHA2565aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d
SHA512981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489
-
C:\Users\Admin\AppData\Local\Temp\132039.zipFilesize
807KB
MD50fa7b227a3e74838473b48da2e0427d7
SHA14b89e027ec5a55253b824d000dab117129f8b398
SHA256445a9d7dda9a6c4264fed0a4ba086b498591ae37f2184bba5b10d23edb1170d2
SHA512ea7fd2ac636401a454aaa8a011ceb906d98cc538e5f06a325fc81141cec1f7451e1ba88096691a36259179210394280f5ffc69ac6d7b803c816b00d70f7d154f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD527212df7da5823dc3c32f49de9df9169
SHA1807514ab7895418c926259f8fb1924606dc83856
SHA256cf589570fabefdbfb50036608886e6156ab5bbe84ba469845c736a393dbb7d1c
SHA512acd10b141e5be0269ca21ec1ec2288926680011ce3fc058da1fe7bb7383b419ab9c69543d0476128bfa2af17aa805d03c5c0ed1408e7c4e704a040ad2f1d1097
-
\Users\Admin\AppData\Local\Temp\132033.tmpFilesize
500.5MB
MD5196a0b2343e42f7920d3a2318fff4587
SHA17b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0
SHA2565aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d
SHA512981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489
-
\Users\Admin\AppData\Local\Temp\132033.tmpFilesize
500.5MB
MD5196a0b2343e42f7920d3a2318fff4587
SHA17b3ecbf15ffd6458dd13d6b9bcc3bc8457bc43f0
SHA2565aff3d7103d86e164eb982dcd2fc102e7f81e7dcc4135b51d40d3ddecf77b00d
SHA512981148d32784c9ecd0069b1ef1411ce7fe5f896da2a530700fe5d222233ab5dea5431176924af6623589ce03e464eb83d1cd0b6e0e47648c533a4a007a5ad489
-
memory/636-1739-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1228-1745-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1296-86-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-1744-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/1296-61-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-62-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-63-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-65-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-64-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-66-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-68-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-69-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-67-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-72-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-70-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-91-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-73-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-74-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-75-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-76-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-77-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-78-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-79-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-80-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-81-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-82-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-83-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-84-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-85-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-59-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-87-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-88-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-89-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-60-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-71-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-92-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-93-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-94-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-96-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-95-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-97-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-98-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-99-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-100-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-101-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-102-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-103-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-104-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-105-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-106-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-107-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-108-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-109-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-110-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-111-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-112-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-113-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-115-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-116-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-114-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-117-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-1486-0x0000000006F20000-0x0000000006F21000-memory.dmpFilesize
4KB
-
memory/1296-90-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-58-0x00000000002C0000-0x00000000003C0000-memory.dmpFilesize
1024KB
-
memory/1296-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB