4879d68f64e84f0fb5b64b2dd212f76462a01f8e10f4d8ed6287cac8421e589c

Analysis

max time kernel
52s
max time network
53s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4373179537.doc
Size

533.4MB
MD5

9fbce537ab324aa323e681b6b0024492
SHA1

b5626da4171f32811440381d01392db523e69118
SHA256

e7664734d76bfd668aeb42789758976d72086e2dfd408b96f6b3c0d84d395e88
SHA512

1736d2aaee14543db22dacc34477f341d3c5f45b02d95492ef59127b6568378905adef976386ddaf945db9ea1e8d4109267928719372ba5a68d072afdfc76859
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	556	912	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
912 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

912 WINWORD.EXE
912 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
912	WINWORD.EXE

pid	process
912	WINWORD.EXE
912	WINWORD.EXE

pid	process
912	WINWORD.EXE
912	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 912 wrote to memory of 968	912	WINWORD.EXE	splwow64.exe
PID 912 wrote to memory of 968	912	WINWORD.EXE	splwow64.exe
PID 912 wrote to memory of 968	912	WINWORD.EXE	splwow64.exe
PID 912 wrote to memory of 968	912	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4373179537.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:968

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\145501.tmp"
2⤵
- Process spawned unexpected child process
PID:556

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\145501.tmp"
3⤵
PID:1084

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PaSTnwenjB\FjkUY.dll"
4⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\145501.tmp
Filesize
524.5MB

MD5
418e2fbc1b6800985a3407a674876a7c

SHA1
ec5a582e95ec57caafacad2c03d2cac49f412444

SHA256
9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

SHA512
2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\145529.zip
Filesize
831KB

MD5
ea555ed476a2feffeae8f51aad696387

SHA1
8ed47123b5b99610c0b4931126e547c3d6736519

SHA256
f7db9ba644d7ae083bbea602b6224a5d52f56f44b6581c851c4236b9d73ddb72

SHA512
52e62f0669a0c880f40f9423cc4a30879448a2a771b56433329e9c97611a3dc1af5e76d22f016a3931052e35936f03319b75e744915d4f009d94ccb53083786e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
225b406808c9b5170cd69b7d337dc24b

SHA1
9a1eb88fed8e2cf1fee3daa24aa713bbdfe492c5

SHA256
cb3e7869de2173b147b1d6010cd857f513a017e762d54eb85f6b7c9782275de1

SHA512
81c38d16f56a7047cc1a243ce02df49d7b2f56baad20405f8f54d1df03338337da0772b53af0748265320c53188ea48154b1ba5ccac6b832a5afda4ecb2b55fe

Download Submit
\Users\Admin\AppData\Local\Temp\145501.tmp
Filesize
524.5MB

MD5
418e2fbc1b6800985a3407a674876a7c

SHA1
ec5a582e95ec57caafacad2c03d2cac49f412444

SHA256
9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

SHA512
2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

Download Submit
\Users\Admin\AppData\Local\Temp\145501.tmp
Filesize
392.4MB

MD5
fb75b5687b82c760a045c67f3a6d0e8c

SHA1
d1e8132cd0dfc6a3cd97f051e412c57eed08f5a3

SHA256
9b496af7b660e2b60935e649a51a39302898d0e6901ae4d365786c86607fc73e

SHA512
dc492ad58683790e8cc2300194dc3bd542b8314bcd449f88db76b2f601720017b19c5667e4938f41a208cdb25245485bf6b57c2a4d14a61fd81ce9f1aeaac41b

Download Submit
memory/912-91-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-71-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-60-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-61-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-83-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-64-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-65-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-66-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-67-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-68-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-69-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-70-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-72-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-75-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-74-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-76-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-77-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-78-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-79-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-73-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-80-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-81-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-84-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-92-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-88-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-90-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-89-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-58-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-87-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-85-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-63-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-59-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-86-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-93-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-94-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-95-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-96-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-97-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-98-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-99-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-100-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-102-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-101-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-103-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-104-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-106-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-108-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-110-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-109-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-112-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-113-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-111-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-107-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-105-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-114-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-115-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-116-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-117-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/912-1486-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/912-1744-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/912-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1084-1739-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2016-1745-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download