Analysis
-
max time kernel
115s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
14-03-2023 15:18
General
-
Target
DETAILS 14032023.doc
-
Size
518.4MB
-
MD5
f30f9eed1fc654c010ab7dec52291fbd
-
SHA1
b17388dbcf3a8e437358865c597ba372c7a4a79d
-
SHA256
32b73674bef1bf5a7893ddfff9ab38c3efb281f09838c723cbf5c9f1f5cca10c
-
SHA512
7485d2adad87bbc74281dc555e9e97284a4ef2513093b6e1448c06ddb1fa32bbbf13515a88af2ea14b6136c4f6726ffe4f7929619ab9f57c3d840b36d9cd1faf
-
SSDEEP
6144:5yk1RgZZXbN63GW1Z7krKSUzMNYJJdKkOl950uH54Lg4Ne9C:5/MXJ6WW1Z7ktUgNYJJdKkOHC4D409
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DETAILS 14032023.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\161949.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\161949.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\WzbFbFEuVzBcrTPfV\lJgZeyrUlPHOkXXF.dll"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\161949.tmpFilesize
518.5MB
MD55d82ffd92fedcf51f9d0567c00bbc86f
SHA1937136806d35f012dce1bb41234f1b4fb6706817
SHA256dddc9be1b18831d21eb3b403ba0190e9e3e6ec839694081642d9e934be335b31
SHA512a690d8245dbad71979f69350d5fd37aa2b0be9045ee67cf040f7db8ddf4f6eaa07409f633829950a9f2ec90e9b1839c878b75e4b554c5d4459f470e903963171
-
C:\Users\Admin\AppData\Local\Temp\161956.zipFilesize
825KB
MD5d2d461a0329936877bff5c9e5376ea7b
SHA15385fc7976a2c3d53ec55d069eee4a76be7307ff
SHA256fc9376193c41997754a373c33d5f10cf380ee295da28b0aa3e550e648bb9d45d
SHA512a672d4ef9144a276b9f451a564229a54173edb0725ccee1e15b49224e411623b97521bcfc06a69cdbc6cd35415ba9a5130be2f9516bda050dee9422561174061
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD506e4d4a85c46e4654b062d59663d54ef
SHA128b89f2e93e54df3e428695bddebcc60ebd1498b
SHA2561da29239355fd1111ba3f70786a8b0add847216120116a71140c2dfa615f9690
SHA5123d968444c82897ac6f9b600d9a233cf88127558b7473c20d1ae2212d33d834a8aa5e5fa02abdbf869718495ece7e9d67acc420acfcab4d6b4b29813ec52b7a2b
-
\Users\Admin\AppData\Local\Temp\161949.tmpFilesize
518.5MB
MD55d82ffd92fedcf51f9d0567c00bbc86f
SHA1937136806d35f012dce1bb41234f1b4fb6706817
SHA256dddc9be1b18831d21eb3b403ba0190e9e3e6ec839694081642d9e934be335b31
SHA512a690d8245dbad71979f69350d5fd37aa2b0be9045ee67cf040f7db8ddf4f6eaa07409f633829950a9f2ec90e9b1839c878b75e4b554c5d4459f470e903963171
-
\Users\Admin\AppData\Local\Temp\161949.tmpFilesize
518.5MB
MD55d82ffd92fedcf51f9d0567c00bbc86f
SHA1937136806d35f012dce1bb41234f1b4fb6706817
SHA256dddc9be1b18831d21eb3b403ba0190e9e3e6ec839694081642d9e934be335b31
SHA512a690d8245dbad71979f69350d5fd37aa2b0be9045ee67cf040f7db8ddf4f6eaa07409f633829950a9f2ec90e9b1839c878b75e4b554c5d4459f470e903963171
-
memory/940-87-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-117-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-61-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-62-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-63-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-58-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-64-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-65-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-66-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-67-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-92-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-69-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-70-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-71-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-72-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-73-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-76-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-75-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-77-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-78-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-74-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-80-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-81-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-82-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-83-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-79-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-84-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-85-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-86-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-59-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-1740-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/940-60-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-68-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-90-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-89-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-94-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-95-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-96-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-97-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-93-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-98-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-99-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-100-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-101-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-102-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-104-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-105-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-106-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-108-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-109-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-107-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-103-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-110-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-111-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-112-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-113-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-114-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-116-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-115-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-91-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-1481-0x0000000006B10000-0x0000000006B11000-memory.dmpFilesize
4KB
-
memory/940-88-0x0000000000500000-0x0000000000600000-memory.dmpFilesize
1024KB
-
memory/940-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1188-1739-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB