b657ff2eedb3a695ad0803581491dbadb4e8269d84e7d29044852fe8d5ef2c2f

Analysis

max time kernel
50s
max time network
54s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Details-1403.doc
Size

543.4MB
MD5

fab228ccf98106058a380fa34a81785c
SHA1

4cdf518b8c83fdeda252e098a1c58a729413c4f6
SHA256

d49c3094888646282364efd6b28f66b99fbe8aa2f8dc2be86daddd3320ae04c9
SHA512

8c65c417e79dfc7995e46e2e53da52c15ab2d2c71233a51d7812df9ccee7c5e326ee227db83bd23f35816a0391bc5b081678b0d24037306a537302cb24701cd7
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	844	1276	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1276 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1276 WINWORD.EXE
1276 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1276 WINWORD.EXE
1276 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1276	WINWORD.EXE

pid	process
1276	WINWORD.EXE
1276	WINWORD.EXE

pid	process
1276	WINWORD.EXE
1276	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1276 wrote to memory of 1960	1276	WINWORD.EXE	splwow64.exe
PID 1276 wrote to memory of 1960	1276	WINWORD.EXE	splwow64.exe
PID 1276 wrote to memory of 1960	1276	WINWORD.EXE	splwow64.exe
PID 1276 wrote to memory of 1960	1276	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Details-1403.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1960

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\150608.tmp"
2⤵
- Process spawned unexpected child process
PID:844

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\150608.tmp"
3⤵
PID:1728

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UpBCaWAeivrfc\ircHwvymLNrhjl.dll"
4⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\150608.tmp
Filesize
524.5MB

MD5
418e2fbc1b6800985a3407a674876a7c

SHA1
ec5a582e95ec57caafacad2c03d2cac49f412444

SHA256
9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

SHA512
2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\150637.zip
Filesize
831KB

MD5
ea555ed476a2feffeae8f51aad696387

SHA1
8ed47123b5b99610c0b4931126e547c3d6736519

SHA256
f7db9ba644d7ae083bbea602b6224a5d52f56f44b6581c851c4236b9d73ddb72

SHA512
52e62f0669a0c880f40f9423cc4a30879448a2a771b56433329e9c97611a3dc1af5e76d22f016a3931052e35936f03319b75e744915d4f009d94ccb53083786e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
cf0b9330cd5c59d1e6eb2f444a5352c8

SHA1
85b286f4a56c2785a0dc1be5fd4023133aa8aa23

SHA256
4cce2e239f7a354525da6c9a570f3afc80d64512f226b6cd1de9fc58b182469c

SHA512
2ffb49e4d5d38e36b4bec8b9a2eeb4a5246cf1f44c0ae1ba685e871307e97b864b43ccb318ae6ccc01d6c36e23e1192e05d8c2f5da1fede21d2753181d7a37c4

Download Submit
\Users\Admin\AppData\Local\Temp\150608.tmp
Filesize
524.5MB

MD5
418e2fbc1b6800985a3407a674876a7c

SHA1
ec5a582e95ec57caafacad2c03d2cac49f412444

SHA256
9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

SHA512
2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

Download Submit
\Users\Admin\AppData\Local\Temp\150608.tmp
Filesize
524.5MB

MD5
418e2fbc1b6800985a3407a674876a7c

SHA1
ec5a582e95ec57caafacad2c03d2cac49f412444

SHA256
9268dcaf8978f3cd7f938cbec447c36ebea029727e3a6fe80e798a40c618519d

SHA512
2c8ac4627450871b289a07d1ff78bdf230cf0c041ecbcb2caccabc30607277162d16809bcb09449a5e4062670a232dee7ac90740dba81b2a13c964695b6a3bad

Download Submit
memory/1276-87-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-72-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-61-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-62-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-63-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-94-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-65-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-66-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-67-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-68-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-69-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-70-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-64-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-93-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-73-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-74-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-71-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-75-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-76-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-77-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-78-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-79-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-80-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-81-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-83-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-96-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-86-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-85-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-82-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-59-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-90-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-92-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-58-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-60-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-84-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-95-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-91-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-89-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-88-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-97-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-98-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-102-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-101-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-104-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-106-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-105-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-103-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-100-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-99-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-107-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-108-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-110-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-111-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-109-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-112-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-113-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-115-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-114-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-116-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-117-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1276-1481-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/1276-1741-0x0000000006850000-0x0000000006851000-memory.dmp

Filesize
4KB

Download
memory/1276-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-1739-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1976-1740-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download