Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 15:00
General
-
Target
Jh_1403.doc
-
Size
515.4MB
-
MD5
56dab98685d8a18633f2a3413942548e
-
SHA1
3bd3fe48af9de6b9ce0fbc2f77b7a0f067b4e4c0
-
SHA256
4fb3dc01d2831c8ac9a837301455a9d583c794f419fb4434a9ed1202c10461fb
-
SHA512
d7733ad03e4bc6f9e2e474d8d07d554664874cabc457aac5b6a2d84550308ec147b5174c2aedbe3334a8d935678c59672c861d21b3723740e04bd6fe8a872bdd
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Jh_1403.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\160056.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\160056.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\LxvBKnbPblSwx\CgeuqYbMIhTt.dll"4⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\160056.tmpFilesize
533.5MB
MD5e658809e3b8fd15426058f074b257e79
SHA1fb88375f5d8e2449143401cf7082eec71ef206bf
SHA2568f7e111598ee9fbe029438505a7623d971f71c765208d95150d38c0defe904b2
SHA5124126030cb0eb24c743eb954376729a7a4732b902225b24d784e241e1dbc96d61b608dab08d2f4a37e39632b2af0e4a47f8363c5364bee9aed9b957c0f474b055
-
C:\Users\Admin\AppData\Local\Temp\160101.zipFilesize
840KB
MD59d981a69aabf1188886040d54fb4aa9b
SHA1ffc01610fa628cc6ca68d7eb42f9f6b6cbb3e033
SHA256741ba2304437d0197941620fc6fc5ceb03e5661e463aa7a634f0c1a814216047
SHA512d3aa46a8edc40099171454e2647d78dc89cc987111216ee388d864edbfe34275beb205498f52bf2b54cec77041b98c16734544c5d853045990c9367eb955dc4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD51dadc7e925378d76027ebe99a048f52c
SHA1e43fd3c9c7974316b47b363c5a60e6a1109c8160
SHA256589c84183604545d0874e57737e1060204bf84902d321cf01365a86291fa7bb3
SHA512176ad4bb04efe85b707f893205d4d30fb5edd1d8aff718c5764860b96da282457035d140a23e1b1b98108e3ad6c8cb9743f9d0dbf68d0a1c21c9468b4bd0e050
-
\Users\Admin\AppData\Local\Temp\160056.tmpFilesize
533.5MB
MD5e658809e3b8fd15426058f074b257e79
SHA1fb88375f5d8e2449143401cf7082eec71ef206bf
SHA2568f7e111598ee9fbe029438505a7623d971f71c765208d95150d38c0defe904b2
SHA5124126030cb0eb24c743eb954376729a7a4732b902225b24d784e241e1dbc96d61b608dab08d2f4a37e39632b2af0e4a47f8363c5364bee9aed9b957c0f474b055
-
\Users\Admin\AppData\Local\Temp\160056.tmpFilesize
533.5MB
MD5e658809e3b8fd15426058f074b257e79
SHA1fb88375f5d8e2449143401cf7082eec71ef206bf
SHA2568f7e111598ee9fbe029438505a7623d971f71c765208d95150d38c0defe904b2
SHA5124126030cb0eb24c743eb954376729a7a4732b902225b24d784e241e1dbc96d61b608dab08d2f4a37e39632b2af0e4a47f8363c5364bee9aed9b957c0f474b055
-
memory/1544-78-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-117-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-61-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-62-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-58-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-63-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-64-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-65-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-66-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-67-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-93-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-69-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-70-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-71-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-72-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-73-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-74-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-76-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-75-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-77-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-80-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-79-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-81-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-82-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-83-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-86-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-87-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-85-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-84-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-59-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-1744-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/1544-60-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-68-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-92-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-95-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-96-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-94-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-90-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-89-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-97-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-98-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-99-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-102-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-101-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-104-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-103-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-106-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-108-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-110-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-109-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-112-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-113-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-115-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-116-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-114-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-111-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-107-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-105-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-100-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-91-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-1486-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/1544-88-0x0000000000540000-0x0000000000640000-memory.dmpFilesize
1024KB
-
memory/1544-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1760-1739-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB