c16c1e9791aed407aea7feb7b5b53e4eed8d695d18f3e739b5b4f277af86152e

Analysis

max time kernel
33s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

report_6164595082.doc
Size

546.4MB
MD5

2a5efe48ea409cb16d887ffc7bfc9268
SHA1

9ce3ab622fa94f7aa4eb62cc404cfd8e2582fb1a
SHA256

b72fac6410f1c9bcd93e321271707f27e27e192aaf68c53b5c8d6d86438df385
SHA512

2c4ede6a294ec03f8361eabe02a0975aa5d616d2561546a26caeb6473d397366e4b4bc1d55937e1dd38f3dfe2e86cb81bfb995775c4a3db0f3a129e7e30a1551
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1500	1068	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1068 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1068 WINWORD.EXE
1068 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1068 WINWORD.EXE
1068 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1068	WINWORD.EXE

pid	process
1068	WINWORD.EXE
1068	WINWORD.EXE

pid	process
1068	WINWORD.EXE
1068	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1068 wrote to memory of 1064	1068	WINWORD.EXE	splwow64.exe
PID 1068 wrote to memory of 1064	1068	WINWORD.EXE	splwow64.exe
PID 1068 wrote to memory of 1064	1068	WINWORD.EXE	splwow64.exe
PID 1068 wrote to memory of 1064	1068	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\report_6164595082.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1064

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\140959.tmp"
2⤵
- Process spawned unexpected child process
PID:1500

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\140959.tmp"
3⤵
PID:640

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TolnVrGIlhmjyQ\vVBwng.dll"
4⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\140959.tmp
Filesize
273.7MB

MD5
9ee875fb3df4cbcf17640777ff5913f6

SHA1
d9b16c75fae142e038215943c22954edd89de699

SHA256
404049da173863f4115e22d7d75879c32f0fc6578b3bf8b3949d1c405d564f7b

SHA512
d1e14367d863215034d14e85b070770f0067223a452a84ac5dd279cfb939a146ada540da4e78408cd1449b4379eb7fd077c8eac6341bde4c41b3114acaf84e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\141006.zip
Filesize
831KB

MD5
ea555ed476a2feffeae8f51aad696387

SHA1
8ed47123b5b99610c0b4931126e547c3d6736519

SHA256
f7db9ba644d7ae083bbea602b6224a5d52f56f44b6581c851c4236b9d73ddb72

SHA512
52e62f0669a0c880f40f9423cc4a30879448a2a771b56433329e9c97611a3dc1af5e76d22f016a3931052e35936f03319b75e744915d4f009d94ccb53083786e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
34d6cbb564dc0c30f02cf36a0115b869

SHA1
c5808cf2e0be7ef45a671ebf726931032dd7f923

SHA256
1a5c40649c339c0350b7628fe1bb5d8d5d96cf7ee6b4681d1fbeb31edc172dbf

SHA512
518edc52a4f6c26b7b5bc0aa3b3d4f858040cba6d74630b2ac7bdd3017c168ec6ed10d364df7307ace6f89ffc78c5f90aecdc6a3b694b305eb92fae6c8ea49c9

Download Submit
\Users\Admin\AppData\Local\Temp\140959.tmp
Filesize
273.6MB

MD5
2a9c66a9f9e17ba8ba86ff354291b760

SHA1
aea535488c6430478435ca1d54fa14f0489d4e50

SHA256
90e9139b1032af377f38b486e7cb77be946b53a2eba1f7ad8874a691839491c7

SHA512
6f95e53b2fd6b7a8c419ae5d4c6385d3d8f8d12ed6af5dc3ee2b1e956c5151b07223893a5e85fee172d60367cb0ae0737c276fbcb53099cf10c2f471689d4b54

Download Submit
\Users\Admin\AppData\Local\Temp\140959.tmp
Filesize
274.3MB

MD5
5700f6f7fb077cf6945f46b483f20d6d

SHA1
0eaf07bf9eaa2975dcb6b5d549f053f13a837709

SHA256
e6b2a79d11bb44adfdfac0f72fa988d29edba9008ae9a6a1eca4d22c4a3c5f35

SHA512
3756ed6c83f5d95959e5707df5fe563a6926dd819f5c1f6da0c0f06bbee5a0fdbd6d4246f0d3bdbab247684a9e91e33f4eb47fe64ca70b067015b4e8f851cc9d

Download Submit
memory/640-1743-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1068-86-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-71-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-60-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-61-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-62-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-90-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-64-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-66-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-67-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-65-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-68-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-69-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-70-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-91-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-74-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-76-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-77-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-78-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-79-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-80-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-81-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-75-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-73-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-72-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-82-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-94-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-84-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-85-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-58-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-87-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-88-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-89-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-63-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-59-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-83-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-97-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-98-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-96-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-99-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-100-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-95-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-102-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-103-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-104-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-101-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-105-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-106-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-107-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-108-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-109-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-110-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-92-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-93-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-111-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-115-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-116-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-117-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-114-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-112-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-119-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-113-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/1068-1486-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/1068-1744-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/1068-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1124-1745-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download