8ed606fe3b8a930e7a50f48b48329594a37baa3cde85fbb3fdc62991eb2a41e4

Analysis

max time kernel
33s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Message-5170127.doc
Size

517.4MB
MD5

18d1f38fecd10fd9d1f33bf443fb68d3
SHA1

0c6ec212d472fe44ce988ca4af069d61175f0602
SHA256

2cc1bb74d3083ce25b7d662beb6f7cdda0e81701dd3d000fc56fe50246675e0e
SHA512

8548b9861c65766bbc4d8cf86c6ad51fe4b0a7ce048e538049893b55ed49cc21b4b60dbacfe9df2f0fedda9d5677cef9ad019d89e668c5cc24d7517c2c68fed0
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1952	704	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

704 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

704 WINWORD.EXE
704 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

704 WINWORD.EXE
704 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
704	WINWORD.EXE

pid	process
704	WINWORD.EXE
704	WINWORD.EXE

pid	process
704	WINWORD.EXE
704	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 704 wrote to memory of 760	704	WINWORD.EXE	splwow64.exe
PID 704 wrote to memory of 760	704	WINWORD.EXE	splwow64.exe
PID 704 wrote to memory of 760	704	WINWORD.EXE	splwow64.exe
PID 704 wrote to memory of 760	704	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Message-5170127.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:760

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\123822.tmp"
2⤵
- Process spawned unexpected child process
PID:1952

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\123822.tmp"
3⤵
PID:1332

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MUWegLfVM\uHSLKkttnUS.dll"
4⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123822.tmp
Filesize
457.8MB

MD5
e2840d30b734f6a970f4adbe3c7dc9c9

SHA1
9d2083b39c6e8cf31b0322adb84dfb11afccaa59

SHA256
6ab1c9bde9bf49a720db7590d7410ddd5e6fb18f5d1b39751c56a11bb6206110

SHA512
e3e026b5e1b09ddc0d6a6eb546424f3ab1c75f5920394988f5865abc189ce490819ad4babe48d8c639409d9c20a0a50910c85575fccbaea405abe3bf8f2dc15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\123829.zip
Filesize
853KB

MD5
72535edcb81fcdd329fc51362e166d38

SHA1
228a6934345e168c726f2b8e2a77e49d0da483c2

SHA256
41a2fce0c0727712ff41c0428889c56ea725ef1badd54e09beade0799bfd1173

SHA512
16e28803a6d6adda7d32a49c27f89550cc7dd270366eb50e63a3a9d724278328a5adfd230c6d3c25bfd3e306194573afafeaa7215ec38a719184485b0e1b2603

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
78888c3dadcc888e8d188e64e6331c3e

SHA1
43b7e9d126dc12841c8810dcabb3d1bdf042aaf6

SHA256
e7c485f8303cfb58c8d41f86fe2b52b8e86a886093c6c153d3fd6da51a80b332

SHA512
2aa811742a35ca536b1da060406d6d0e49b42e443894202f08ca1b5659c2f486e9a90725aef524b9d696ba4f8da223d63da8d5b8ea05e7847f0be760c0f4ea02

Download Submit
\Users\Admin\AppData\Local\Temp\123822.tmp
Filesize
400.7MB

MD5
75c3b9ca75b0ff59fb32153bef3c24f3

SHA1
598c1992e6f7e4a301699ec46f5f3ff8f87d5ce6

SHA256
0118f873a3d2f8d1f01a79837179af79047dfef177743da677f332e79bb938e2

SHA512
e94803feebbd0b0ac31688652bbd726269bdd88efeff58ea59ede0c3eda87dd7e24ea6b4f6872c268c6c1df85181b0772c275a09a020a492b1320f2a929cae7c

Download Submit
\Users\Admin\AppData\Local\Temp\123822.tmp
Filesize
468.5MB

MD5
200290b837a8588c890612b1d3a9966e

SHA1
2de0afc4efc8a99ab3e55d2b9c36b9a706856bc9

SHA256
9106b6c89fd6ff29e9d76bfed2bb1a066f9ef96a315983bdc3442c58ec8d7b50

SHA512
0468a62d69812ed1d6e2ce20b457a3ef7a614be13e2a20ebd0df429698c84891a349988ce1bfd03fda7e40b9ac260ad52cf050ee272145815c8aecf467e8387a

Download Submit
memory/704-87-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-71-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-60-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-61-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-62-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-63-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-64-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-65-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-66-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-67-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-68-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-69-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-70-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-91-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-72-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-74-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-75-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-73-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-76-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-77-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-78-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-79-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-80-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-81-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-83-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-84-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-85-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-86-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-82-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-58-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-92-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-89-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-95-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-59-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-88-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-93-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-94-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-90-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-97-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-98-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-96-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-99-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-100-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-101-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-102-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-103-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-104-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-105-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-106-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-107-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-108-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-109-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-110-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-111-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-112-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-113-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-114-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-115-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-116-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-117-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-119-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/704-1486-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/704-1745-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/704-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1332-1743-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1568-1744-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download