fb7ec650e35e5df2b91422942730d0d31c288d06669c00bddf989d1d149bf0e1

Analysis

max time kernel
53s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fakturierung.doc
Size

534.3MB
MD5

bf16595909993047ef58203821614b7c
SHA1

cc3715547c98a950ad61842026045de915f6ab98
SHA256

45fb8507138935dda07ec1fb243b61e18954f44691f383e48e32301a4dd5d61c
SHA512

b56d9c99ca78b503ff426536407447a7e750a01af5af9f3ab4f12dc872b8b3a798d83eb2f9867869ee29daefc947fd5b82d953e72d3529e3291e1a5370d3a9b0
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	988	1772	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1772 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1772 WINWORD.EXE
1772 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1772 WINWORD.EXE
1772 WINWORD.EXE

pid	process
1772	WINWORD.EXE

pid	process
1772	WINWORD.EXE
1772	WINWORD.EXE

pid	process
1772	WINWORD.EXE
1772	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Fakturierung.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\132231.tmp"
2⤵
- Process spawned unexpected child process
PID:988

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\132231.tmp"
3⤵
PID:1712

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IxzRuJkr\wPlqYlCLExUe.dll"
4⤵
PID:1368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
849df2a21db5cb40a702c058464251a4

SHA1
050628b15e26607b2ca0d9305ed86afdf364d403

SHA256
b19556c6b5e56d3262efee8119ca85849fa6f90b756387b53311fa41bad4c95b

SHA512
818a8d19450b1b89e19de7648282dbf4be7d0f4dae3ca1fa8d7687fd9d47842e723672175afa42b076186f6ceaad78050142c104e33936b858a0b79cad85b603

Download Submit
C:\Users\Admin\AppData\Local\Temp\132231.tmp
Filesize
523.5MB

MD5
bdcbd67c023c8572b6b7aedf3d326f45

SHA1
70111bf00b6357316648d1cc8b6d1e4d56c350d0

SHA256
7bbbec1a5a9a6e676952be7aaad483087463516a7acdabc8effc42909cd65fce

SHA512
6c242ec9cfb05f854cdc1439e24e9a59bc7f3fd631a11b8aec6c52bd0f1816bc072946cabe74cc7dc8dae4aa5adbbf478818f922ed8b8ed9a507c1769aeea65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\132302.zip
Filesize
829KB

MD5
b5735621a1ff41aa190380856e7635b4

SHA1
61f0832f1ec68f017ae3ff97b5238e055ec1788f

SHA256
1639ae2dae63b4d1df66ddaa4bb94adcc183f925afdbd2cbb1b59095f9b560b5

SHA512
acaad69d0dc52035395cfd60258f4d1f07f527379a31314c0352762233d1cc295cc860d4ae2247c0bb7bf9f554e9350d05e3ef9921f36393b4304ac743f781ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C60.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F92.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
2a9b7fd61b1a1bfb70a2e373206f4c2d

SHA1
cb8b6b034f43df5eb8d3f369a5bc1447f1b228ae

SHA256
8898db0d46f247e2597eda8db1ea141e4c6225f1ce9f70c553426a46e7712490

SHA512
17330367fb130f8947fcc3def3de419130d3b67ebf191f53fe07c217b96d0b7df90ee2c7c5b7537028e693f1e3f9d39f4448d3b7ea62e2f31615098b1b1f8ebd

Download Submit
\Users\Admin\AppData\Local\Temp\132231.tmp
Filesize
523.5MB

MD5
bdcbd67c023c8572b6b7aedf3d326f45

SHA1
70111bf00b6357316648d1cc8b6d1e4d56c350d0

SHA256
7bbbec1a5a9a6e676952be7aaad483087463516a7acdabc8effc42909cd65fce

SHA512
6c242ec9cfb05f854cdc1439e24e9a59bc7f3fd631a11b8aec6c52bd0f1816bc072946cabe74cc7dc8dae4aa5adbbf478818f922ed8b8ed9a507c1769aeea65e

Download Submit
\Users\Admin\AppData\Local\Temp\132231.tmp
Filesize
424.3MB

MD5
08f0474f52858829857689491799d1f2

SHA1
b0b1d48279da01d367c8e9e4cf700544d23c7185

SHA256
a817543028303935247d1569ab42ff0bb28f96b166b36dc899801fff7a18a6bd

SHA512
c25ca60ae5dcc1733680e34a8778c53ad1f59744f49095c2b0d7e10bdf606627dab3b8ccd30cb1570f6cdec4c128e36e1fc65a94638d0c533637a0c8f985d4da

Download Submit
memory/1368-1418-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1712-1416-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1772-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-88-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-64-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-65-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-66-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-67-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-68-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-69-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-70-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-71-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-72-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-73-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-74-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-75-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-76-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-77-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-78-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-79-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-80-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-81-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-83-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-84-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-85-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-86-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-63-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-87-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-89-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-90-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-91-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-92-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-93-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-96-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-94-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-95-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-97-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-98-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-101-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-100-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-102-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-99-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-108-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-1215-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1772-61-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-60-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-59-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-58-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-1417-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/1772-57-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/1772-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download