Analysis
-
max time kernel
37s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
15-03-2023 04:56
General
-
Target
QS75790832498186151LQQ.doc
-
Size
544.2MB
-
MD5
d010772a1cabb304c5febfeccc88469d
-
SHA1
d43c562d6568f7ec28986d9008d136771d147047
-
SHA256
25ac9a0d8addecfc48aa37215a67edb773b4d9177f824f3cdbbb7201c5b4417a
-
SHA512
2b5e225b99712f2b047f8961ebc4a14cb285a1f563642e09a7715a19cbb39805c5b8c5237fa10012dc9712ff56f18cc8614d7cd54e0819cfcc59c18a94ceabba
-
SSDEEP
3072:eoEW2aOtFjH0lP2IpjctfRcVVwEi/A8NVM1wIOCbX6bYLjWFJuvx7ueK6:ZE1aOtFa2I9c3aVw4zwxCbJ4Jup
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QS75790832498186151LQQ.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\045717.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\045717.tmp"3⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\ApKAYrnmqAs\iwWqWmxQPAktdjZZ.dll"4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f4b88565c637fa76d9a05bf2c5f3136b
SHA126d21734e1e2fa4107983c3460e4ec9ae2ca61c1
SHA2569466680eb06ca419f7d8c7c42fd25bf00d5f265c040c3a6eedd156b7ef1cf6be
SHA5127fe8ff8b734bd1c1f9f066a99f7b9d92d653fd38e25ad83b08fb086e529c0947f9a5c33f77c2e33a77e015f56da7acf4ace7b21bc66e147ebf8a5d7340b2c79a
-
C:\Users\Admin\AppData\Local\Temp\045717.tmpFilesize
493.9MB
MD5d11bcd7b907e57e8afbb0cc13a77bf63
SHA1a1447d08f9a4989d18429356f2ffcb8f970f5994
SHA2563212276088dc4d124bfbd886edf2b6fbe4838185c1a0dca68a2378ad90263add
SHA512b1bbb5dcda8936bd3c4e32ea48fe9e2b0f71d7beea856f200ed57461fd6b21d123375edeeae0a73296f2cf9e042cdacb3fdf46409c4239827f51716c8fad604d
-
C:\Users\Admin\AppData\Local\Temp\045732.zipFilesize
819KB
MD5b13338f0035a1eb256605e50eec79fbf
SHA18cf000ce289c5e990fb06c28de87b2a69dea6079
SHA256f1fd0fe8cb3d2f7eaf14460ea25edbad3c70c06bba674088b8cabf7464ac5381
SHA512846d1029e6e2fbaa21a7ab6114fa4baf852e505908579541644a23b703f7b5506056ac8ee83d7ba505ba236c53103b4e81eaacf2e04678e3171e50828b7a1bf1
-
C:\Users\Admin\AppData\Local\Temp\Cab6250.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar663D.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD527ed6928fc5250e982ccc6285cb20cda
SHA19a683bcec89cf0b6ba1dc88462501e1397a6af8f
SHA2566d30b7663596f00753160198b95137f3286508196521d1e5cdfed1a77f71f920
SHA512d3c9a9f1a56964c45f6940b406e21ea428660618ad5510bf108f5d39015d988410c061eeceeadb7c03a63e89d9210a62e0f6f701d335438f2e75e600bfee6a79
-
\Users\Admin\AppData\Local\Temp\045717.tmpFilesize
502.4MB
MD5adfc4446ef230aadd74493a0d188a794
SHA101bc8cef29e2b70600810c34570bdc30bb6565a3
SHA256b2d14308bc8ece2be337ccc5212989309e6bef201080b7ee4956aaaef6334f2c
SHA512d6f8069f6285770ce3aa4efc11a288fec225bea02d742e60f4b00b22e6f1a76fdd3b678fd6b62d0cfe116fca0d77d1837edbd52bd1b9dea473fe4cb2961b4b22
-
\Users\Admin\AppData\Local\Temp\045717.tmpFilesize
340.6MB
MD547ebb752a88c07c44681cf05fd65ce0f
SHA120a9fdfbc2b9bb33211841f7bbcb7564933d4044
SHA256ba4938d3bfd8a8ec50dd4d29a31b04202ffdf32437fa3a9c8eab62962acf94fb
SHA512028cb4d2536bfd49d5aa0d50222609f23e0c4fba67df2a0de7c4d50938963e7f72692c1afcc825f6c2c19700a7ee4502fea6660ec688dab2da09547de2894ad0
-
memory/1232-907-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1960-912-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2024-66-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-83-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-69-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-72-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-73-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-71-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-70-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-75-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-76-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-78-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-79-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-77-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-74-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-80-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-82-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-68-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-81-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-84-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-111-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-65-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-67-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-62-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-64-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-63-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-60-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-61-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-59-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-58-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB
-
memory/2024-57-0x00000000006E0000-0x00000000007E0000-memory.dmpFilesize
1024KB