3400a34f0069659ecacf3ae1e12fa776755392c6828804fa64669e02286a4f4c

Analysis

max time kernel
52s
max time network
51s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dettagli_14032023.doc
Size

527.4MB
MD5

c1299106b5977d3aced43828efd4dae3
SHA1

6c740be7700b0de2419e1c9edcfb06dedfc5cd0a
SHA256

c41b2b229d37b2581c52e9c87d17838a01e5b2cc038ad4c38c6a8b9bd0e3dc19
SHA512

5a6eb6af326b60ab6327581127fcd0d3815a64765b7ed8e1b0bcfb0e990bc85eb8e93c67e7e7bcd8155364ba4aa035548facec1005e9f094ef32e0566bccb6a6
SSDEEP

6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	336	1324	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1324 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1324 WINWORD.EXE
1324 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1324 WINWORD.EXE
1324 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1324	WINWORD.EXE

pid	process
1324	WINWORD.EXE
1324	WINWORD.EXE

pid	process
1324	WINWORD.EXE
1324	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1324 wrote to memory of 2008	1324	WINWORD.EXE	splwow64.exe
PID 1324 wrote to memory of 2008	1324	WINWORD.EXE	splwow64.exe
PID 1324 wrote to memory of 2008	1324	WINWORD.EXE	splwow64.exe
PID 1324 wrote to memory of 2008	1324	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dettagli_14032023.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2008

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\160235.tmp"
2⤵
- Process spawned unexpected child process
PID:336

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\160235.tmp"
3⤵
PID:524

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KnMLJ\sfEywaRIjvlVv.dll"
4⤵
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\160235.tmp
Filesize
510.2MB

MD5
3de788d94fba8c2fc65d71f75c4e3fb1

SHA1
b18c6c075628cefd4c23b4c0cc3d6214852171d4

SHA256
43619e0f1e2f7aba2bc3aa2620382de72d5f9d7b7491b44493e83ea19cd945fc

SHA512
898be9f9cc1775b973c3bf792079ce35b61e45caf902f1f63a0cc07b9a258ba37b624841ff2c6c8eabbcb9d515b2b26e70cd371d54c0eda4590033aadf508d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\160303.zip
Filesize
840KB

MD5
9d981a69aabf1188886040d54fb4aa9b

SHA1
ffc01610fa628cc6ca68d7eb42f9f6b6cbb3e033

SHA256
741ba2304437d0197941620fc6fc5ceb03e5661e463aa7a634f0c1a814216047

SHA512
d3aa46a8edc40099171454e2647d78dc89cc987111216ee388d864edbfe34275beb205498f52bf2b54cec77041b98c16734544c5d853045990c9367eb955dc4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
e1a1e6c36eb4df0fc6f9584e189bf03e

SHA1
c87f6398c45f87a0f3c6dbccf7629fd2fdbc8d41

SHA256
d206f64bc047553ee8cb419386c6e5eaeff8e174cadd246c91945e39d8770d82

SHA512
ffb8edf324108b87ba0b276b179126089509f08a3dc85b50e171d51c86fd2727cb1ea8223fcf4ec5c98e25f19497943ff9842fcdc101037204d5d31b5cd4d6e5

Download Submit
\Users\Admin\AppData\Local\Temp\160235.tmp
Filesize
533.5MB

MD5
e658809e3b8fd15426058f074b257e79

SHA1
fb88375f5d8e2449143401cf7082eec71ef206bf

SHA256
8f7e111598ee9fbe029438505a7623d971f71c765208d95150d38c0defe904b2

SHA512
4126030cb0eb24c743eb954376729a7a4732b902225b24d784e241e1dbc96d61b608dab08d2f4a37e39632b2af0e4a47f8363c5364bee9aed9b957c0f474b055

Download Submit
\Users\Admin\AppData\Local\Temp\160235.tmp
Filesize
433.2MB

MD5
a7a0e9e99b1f068ba3a4529172f6e15d

SHA1
8cf7a43f00529e66accfa0e8f962194c7a6fadf4

SHA256
3c79b79932ebdcc9bedbf4d745fe6c3011ea3244f7d22ab8b5b43abc63231c4e

SHA512
b103ffe7997e4274adc215d653909800c43e54b568a0d5951db9e377b5ecbb542ebe25f6ef9eec405dbf038ca7e3f97cb70132c7a0c3a65d0ce320eb3486e2a7

Download Submit
memory/524-1739-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1324-87-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-64-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-61-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-62-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-63-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-58-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-65-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-66-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-67-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-68-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-90-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-69-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-70-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-71-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-72-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-73-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-74-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-75-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-77-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-76-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-78-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-79-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-81-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-80-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-82-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-83-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-84-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-86-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-59-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-88-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1324-117-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-60-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-92-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-93-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-94-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-96-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-97-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-95-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-91-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-98-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-101-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-103-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-105-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-107-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-106-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-109-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-110-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-112-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-113-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-114-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-115-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-116-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-111-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-108-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-104-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-102-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-100-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-99-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-89-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-1486-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1324-85-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1324-1740-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1960-1741-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download