Overview

overview

10

Static

static

8

GHx_1818979364.doc

windows7-x64

10

GHx_1818979364.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GHx_1818979364.doc

  • Size

    503.4MB

  • MD5

    fb48105f26dc03adc5c3cb88a7c51e62

  • SHA1

    30c58b68c8eb5d25689fbfbacc2848797c42ceba

  • SHA256

    5c98bcef95d0030a25c66a06d71a141a1a839402c5f71f72f643ce991ccfd308

  • SHA512

    6e6ee47118a9b608dd3a4a50b9b59c2f29beb4a320081a4281f0a2038f2cc7200280cd96b39a70a1e298ba14feb3386931dac202f3d933da6dc6c7cf78a9c5e4

  • SSDEEP

    6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\GHx_1818979364.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1840
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\145326.tmp"
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Users\Admin\AppData\Local\Temp\145326.tmp"
          3⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:824
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UjtTZ\YmImcMRKQG.dll"
            4⤵
              PID:748

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\145326.tmp
        Filesize

        524.5MB

        MD5

        418e2fbc1b6800985a3407a674876a7c

        SHA1

        ec5a582e95ec57caafacad2c03d2cac49f412444

        SHA256

        9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

        SHA512

        2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\145331.zip
        Filesize

        831KB

        MD5

        ea555ed476a2feffeae8f51aad696387

        SHA1

        8ed47123b5b99610c0b4931126e547c3d6736519

        SHA256

        f7db9ba644d7ae083bbea602b6224a5d52f56f44b6581c851c4236b9d73ddb72

        SHA512

        52e62f0669a0c880f40f9423cc4a30879448a2a771b56433329e9c97611a3dc1af5e76d22f016a3931052e35936f03319b75e744915d4f009d94ccb53083786e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        9cd3370daa0bfdf12b77297a680b7c41

        SHA1

        0d16cb10b49950d9334cbc82d1d476e2366639a0

        SHA256

        c1882593e69ca66c2b842b6eadafe6b71ea9e895022e6832c000b3c5f6893ea3

        SHA512

        dfdb4c1ff46c4e251a147abdc54e48bcd2d414d220c3e50d4b3ee23a8cdc0c5e3e033fa63b43aa56128722e5f6f9898ce528b1daf2b0c8c844845f6deec4d331

        Download Submit
      • \Users\Admin\AppData\Local\Temp\145326.tmp
        Filesize

        524.5MB

        MD5

        418e2fbc1b6800985a3407a674876a7c

        SHA1

        ec5a582e95ec57caafacad2c03d2cac49f412444

        SHA256

        9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

        SHA512

        2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

        Download Submit
      • \Users\Admin\AppData\Local\Temp\145326.tmp
        Filesize

        524.5MB

        MD5

        418e2fbc1b6800985a3407a674876a7c

        SHA1

        ec5a582e95ec57caafacad2c03d2cac49f412444

        SHA256

        9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

        SHA512

        2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

        Download Submit
      • memory/748-1741-0x00000000003F0000-0x00000000003F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/824-1739-0x00000000002A0000-0x00000000002A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1540-86-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-1481-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1540-61-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-62-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-63-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-64-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-65-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-66-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-67-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-68-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-69-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-70-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-71-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-91-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-72-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-76-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-74-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-77-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-75-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-78-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-81-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-80-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-79-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-84-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-82-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-85-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-83-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-59-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-87-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-88-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-89-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-60-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-73-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-92-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-93-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-94-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-95-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-96-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-98-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-97-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-99-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-100-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-101-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-102-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-103-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-104-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-106-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-105-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-107-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-108-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-109-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-112-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-110-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-113-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-111-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-114-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-58-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-115-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-116-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-117-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-90-0x0000000000620000-0x0000000000720000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1540-1740-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1540-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download