Overview

overview

10

Static

static

8

PO.doc

windows7-x64

10

PO.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2023 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.doc

  • Size

    510.3MB

  • MD5

    732336a4ffdffb6af529c92240c52aaa

  • SHA1

    0f132ee237e3c419422d33a7fdc8687d3a62068f

  • SHA256

    76e94f1bf0af4acd2e3dd307c9cb05ff1cce879a7c611e9e3dc01d8fd7a7f2cc

  • SHA512

    683ea54a98b83cbc857299e9511a165371d99a3f3e08f968faf4f3dba53c13de79d8676203f79a71f91cd68892157a1c37766951d4d81a57468e62be809d436a

  • SSDEEP

    6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\141653.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\141653.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UcWkUBVMwSiHFJD\KTmUZsq.dll"
          4⤵
            PID:1820
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:632

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        61KB

        MD5

        e71c8443ae0bc2e282c73faead0a6dd3

        SHA1

        0c110c1b01e68edfacaeae64781a37b1995fa94b

        SHA256

        95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

        SHA512

        b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        e59fd695e111e099cc4999f976829095

        SHA1

        a2235657bcf025d80f048ca5499e6c8c0906e164

        SHA256

        699c61350898ff622c689e3a1a9d9dcbc544f3027aa8c5943145afbe4c929d60

        SHA512

        689f6ef50117e3f706e774f535707fc496260da910a682acc16e79dfa0c6bcadd21dbafa1841f51c830ed2d0f2247810d7383e79ff3e345dfe02c077702e843b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\141653.tmp
        Filesize

        501.5MB

        MD5

        302f08a45be2b11a9b8c89cb1cda8d0e

        SHA1

        cb7870c9b5af1f19cdf0a05339596722213d3fb5

        SHA256

        7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

        SHA512

        5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\141720.zip
        Filesize

        807KB

        MD5

        29e2d222bd12220dce9a8d50033ccb5c

        SHA1

        8395359176311bd02d8be06f200ccd2b72bf57d6

        SHA256

        36a0eba1c1a3a6d28a0bc4ccede8adacd35426e213773fbcba64185697310853

        SHA512

        c247ac90bfa8c0958bab87b4c186d4a465c15b00e025bb6bc19ac0352c720211075b86ec0feb6254be972b6c6491581d6a24a2fb595ad6c0ed24512495973864

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab9532.tmp
        Filesize

        61KB

        MD5

        fc4666cbca561e864e7fdf883a9e6661

        SHA1

        2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

        SHA256

        10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

        SHA512

        c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar99EA.tmp
        Filesize

        161KB

        MD5

        be2bec6e8c5653136d3e72fe53c98aa3

        SHA1

        a8182d6db17c14671c3d5766c72e58d87c0810de

        SHA256

        1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

        SHA512

        0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        b0995277286b2c84175e24b8f99ed0b6

        SHA1

        79c0641dc7ac5e42305c1eb7f12cba6020ac8fdf

        SHA256

        e92c8ab4b95e599c3f4e1745a8c8319b55dd0da80e04ef5add2b873a06e6eae6

        SHA512

        28fbb4b251c165fa3b148b4c951ab6dbfdd9cfd3499670d8cca7c9b65a4d198dbf4ca7b2dced6b8fe08c6de60f2e339ee04c54429eb5a4c38493ee3611471a4b

        Download Submit
      • \Users\Admin\AppData\Local\Temp\141653.tmp
        Filesize

        501.5MB

        MD5

        302f08a45be2b11a9b8c89cb1cda8d0e

        SHA1

        cb7870c9b5af1f19cdf0a05339596722213d3fb5

        SHA256

        7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

        SHA512

        5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

        Download Submit
      • \Users\Admin\AppData\Local\Temp\141653.tmp
        Filesize

        501.5MB

        MD5

        302f08a45be2b11a9b8c89cb1cda8d0e

        SHA1

        cb7870c9b5af1f19cdf0a05339596722213d3fb5

        SHA256

        7fcaf117e46f49049b48ff059a0642f45dfaa433f5b7537299be43bbde9dccc5

        SHA512

        5b4d10f02b6685f9623d80b14a72908038317d4627fb1af7edf68e8ecb3a534f73a6138db4a9b70254e944173cac95cb4d4a042005cae478109f4620e0843df2

        Download Submit
      • memory/1092-1412-0x00000000003A0000-0x00000000003A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1820-1417-0x0000000000560000-0x0000000000561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2040-81-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-86-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-63-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-65-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-66-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-68-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-67-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-69-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-71-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-72-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-70-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-73-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-74-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-77-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-75-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-76-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-78-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-79-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-80-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-62-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-82-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-83-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-84-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-85-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-87-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-64-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-88-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-89-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-90-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-91-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-93-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-92-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-96-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-95-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-94-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-97-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-99-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-98-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-101-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-100-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-102-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-107-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-1215-0x0000000006190000-0x0000000006191000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2040-61-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-60-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-59-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-58-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-57-0x0000000000320000-0x0000000000420000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2040-1418-0x0000000006190000-0x0000000006191000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2040-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download