Analysis
-
max time kernel
53s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
14/03/2023, 12:21
Behavioral task
behavioral1
Sample
Fakturierung.doc
Resource
win7-20230220-en
General
-
Target
Fakturierung.doc
-
Size
534.3MB
-
MD5
bf16595909993047ef58203821614b7c
-
SHA1
cc3715547c98a950ad61842026045de915f6ab98
-
SHA256
45fb8507138935dda07ec1fb243b61e18954f44691f383e48e32301a4dd5d61c
-
SHA512
b56d9c99ca78b503ff426536407447a7e750a01af5af9f3ab4f12dc872b8b3a798d83eb2f9867869ee29daefc947fd5b82d953e72d3529e3291e1a5370d3a9b0
-
SSDEEP
6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 988 1772 regsvr32.exe 15 -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1772 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1772 WINWORD.EXE 1772 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1772 WINWORD.EXE 1772 WINWORD.EXE
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fakturierung.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132231.tmp"2⤵
- Process spawned unexpected child process
PID:988 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\132231.tmp"3⤵PID:1712
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxzRuJkr\wPlqYlCLExUe.dll"4⤵PID:1368
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:840
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5849df2a21db5cb40a702c058464251a4
SHA1050628b15e26607b2ca0d9305ed86afdf364d403
SHA256b19556c6b5e56d3262efee8119ca85849fa6f90b756387b53311fa41bad4c95b
SHA512818a8d19450b1b89e19de7648282dbf4be7d0f4dae3ca1fa8d7687fd9d47842e723672175afa42b076186f6ceaad78050142c104e33936b858a0b79cad85b603
-
Filesize
523.5MB
MD5bdcbd67c023c8572b6b7aedf3d326f45
SHA170111bf00b6357316648d1cc8b6d1e4d56c350d0
SHA2567bbbec1a5a9a6e676952be7aaad483087463516a7acdabc8effc42909cd65fce
SHA5126c242ec9cfb05f854cdc1439e24e9a59bc7f3fd631a11b8aec6c52bd0f1816bc072946cabe74cc7dc8dae4aa5adbbf478818f922ed8b8ed9a507c1769aeea65e
-
Filesize
829KB
MD5b5735621a1ff41aa190380856e7635b4
SHA161f0832f1ec68f017ae3ff97b5238e055ec1788f
SHA2561639ae2dae63b4d1df66ddaa4bb94adcc183f925afdbd2cbb1b59095f9b560b5
SHA512acaad69d0dc52035395cfd60258f4d1f07f527379a31314c0352762233d1cc295cc860d4ae2247c0bb7bf9f554e9350d05e3ef9921f36393b4304ac743f781ba
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
20KB
MD52a9b7fd61b1a1bfb70a2e373206f4c2d
SHA1cb8b6b034f43df5eb8d3f369a5bc1447f1b228ae
SHA2568898db0d46f247e2597eda8db1ea141e4c6225f1ce9f70c553426a46e7712490
SHA51217330367fb130f8947fcc3def3de419130d3b67ebf191f53fe07c217b96d0b7df90ee2c7c5b7537028e693f1e3f9d39f4448d3b7ea62e2f31615098b1b1f8ebd
-
Filesize
523.5MB
MD5bdcbd67c023c8572b6b7aedf3d326f45
SHA170111bf00b6357316648d1cc8b6d1e4d56c350d0
SHA2567bbbec1a5a9a6e676952be7aaad483087463516a7acdabc8effc42909cd65fce
SHA5126c242ec9cfb05f854cdc1439e24e9a59bc7f3fd631a11b8aec6c52bd0f1816bc072946cabe74cc7dc8dae4aa5adbbf478818f922ed8b8ed9a507c1769aeea65e
-
Filesize
424.3MB
MD508f0474f52858829857689491799d1f2
SHA1b0b1d48279da01d367c8e9e4cf700544d23c7185
SHA256a817543028303935247d1569ab42ff0bb28f96b166b36dc899801fff7a18a6bd
SHA512c25ca60ae5dcc1733680e34a8778c53ad1f59744f49095c2b0d7e10bdf606627dab3b8ccd30cb1570f6cdec4c128e36e1fc65a94638d0c533637a0c8f985d4da