1ecfa1dc367c67148c44860062582f227fb05f49e4fbc26880a716dc68ce8f2b

Analysis

max time kernel
37s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Untitled-684772.doc
Size

531.4MB
MD5

ea92b0ea7b0a06724542e2e1a66f0b1e
SHA1

15d82ce1ab6ca7fb11e8aaa19f76644f047bd547
SHA256

fa08bcf86f41ef7f586bb7cff593a4458e4f479df26134ccfda00f15a2ed45c8
SHA512

0a94960c82f9129e96992df8764e0e446cdd5548257be1e7ee28be76ad06e5da8666e0f80ccd788b6c2c1eabaf894805cd939d1e68124cb072beed64803f1682
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1088	1376	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1376 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1376 WINWORD.EXE
1376 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1376 WINWORD.EXE
1376 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1376	WINWORD.EXE

pid	process
1376	WINWORD.EXE
1376	WINWORD.EXE

pid	process
1376	WINWORD.EXE
1376	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1376 wrote to memory of 868	1376	WINWORD.EXE	splwow64.exe
PID 1376 wrote to memory of 868	1376	WINWORD.EXE	splwow64.exe
PID 1376 wrote to memory of 868	1376	WINWORD.EXE	splwow64.exe
PID 1376 wrote to memory of 868	1376	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Untitled-684772.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:868

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\131359.tmp"
2⤵
- Process spawned unexpected child process
PID:1088

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\131359.tmp"
3⤵
PID:1368

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OAjBlEDdFbW\JazrDQhh.dll"
4⤵
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\131359.tmp
Filesize
365.9MB

MD5
67cf457fb441e220aa308b534e0606d6

SHA1
7c373a8d2fd536d8bc02d9184eb9faaa5928dbf4

SHA256
c06da8d55627b85752ae728cc03f2e51826db646b2683d09353324a719f6d4e3

SHA512
019e7b8ded80dc3d9602446bf2c936804a248c69a61579b0c181a9f4dcebfbbee5eb7abac79588a2bf239d837b6884041eb3ebcb8f90ca82951e876b28fa6340

Download Submit
C:\Users\Admin\AppData\Local\Temp\131406.zip
Filesize
840KB

MD5
8ae7a394de5df498b34e9677c9c209bd

SHA1
8c2a0666ec403bc006bf86fca4b619537d5a09e6

SHA256
733f152143e5c0d3ebc152fff63b59593a5e5ca12eff1e61220a080a23d51dc2

SHA512
2d358b8f83507fa3dd7ad03706678bfa84cca4444d95982e980d31fbe65eb0135bfafa5a3781b73602d5c4624727ebe19b9684b0925697550398c8f3512705f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
1a4c689aa72958601c829e706dbf84e1

SHA1
a103fafb9d26a06077f2e52750b4cdc509f7b16f

SHA256
c75a5e9050088a57afb5e651cc6cddfbd8d60a177a6c1b59b5dcd2485048f211

SHA512
a6a1efd18fc0e5105754a5150231d8e4f2dea814998cc1ba1826b1a6ab2aa204693782d78730b3577d65a21d54474ce141640be01295adc7c18e9d0dfc7a89ca

Download Submit
\Users\Admin\AppData\Local\Temp\131359.tmp
Filesize
380.1MB

MD5
8ece7400b2bbec73e6b23ec3e5274c74

SHA1
945c32e7268ffffe1b955434c291996b5a1265e9

SHA256
8db209e639c823c4a0a194506b3f497352a3c381e3e8d4760dea5b40e499e2ac

SHA512
3a61b043c7afe5187f033dc4a6779af441d16cce4a198ef2fac542f50600bd8d63a594cb6950a2e96ad156be08992c7db22923dfe241d0e9afb098fa0d2d3d5a

Download Submit
\Users\Admin\AppData\Local\Temp\131359.tmp
Filesize
418.5MB

MD5
c605aa12e4b24aca5f8281969e8bcd9a

SHA1
618fdf5048bc44fc85be4c1d019b733bcd47635b

SHA256
e34988df084bf98355b30bb67a9066bbc89dfb9f19e37f1ba10149d27a22059b

SHA512
3e56c864de6639cb0599b95b40a4d76acb6a3046c8dbd731abca380f51eb7d49c1c5a511b998f4610e1925d930dc70112ca62739743dc0782f9744aa8d2bfa55

Download Submit
memory/1368-1743-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1376-87-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-117-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-60-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-61-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-62-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-63-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-64-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-65-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-67-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-66-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-90-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-70-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-71-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-72-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-68-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-73-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-74-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-75-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-76-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-77-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-78-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-79-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-80-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-81-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-82-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-83-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-84-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-86-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-58-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-85-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-1744-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/1376-59-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-69-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-91-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-93-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-92-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-94-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-96-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-97-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-95-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-98-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-99-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-100-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-101-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-102-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-103-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-104-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-105-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-107-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-108-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-106-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-109-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-110-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-111-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-112-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-113-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-114-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-116-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-115-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-89-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-1486-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/1376-88-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1376-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1380-1745-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download