4e943075967fb249b56a16f3f7c9d647e98d6d85af2b162aa623ee7fc33dc331

General

Target

gescanntes-Dokument.doc
Size

535.8MB
MD5

10b71d7f695ac3f1a6267d132c825db6
SHA1

02a7b36c21a416b9a2b094a0a3b6eed005673985
SHA256

3695ed0ba836d615bbadea21eefaf5c0b565a4af6aff8c09aba17b3e3dbd2ada
SHA512

6686b2d0f608151b8268991c39e7f39acf1a8f13abc421b8679e1c32e4bd5c96b77e1a7a8ac2e58b011a0bebf5ee187b022bdaeebfa143bc1016ba75eca10303
SSDEEP

12288:XxYDQ8EW+Ba+qKYR08a72L2X0dMzPPqvBUEu3uNsRAPYwT4q3MJ/d:2DPElaSUqqafj9Q4ZJ/d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1068	1720	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE

pid	process
1720	WINWORD.EXE

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\gescanntes-Dokument.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\145052.tmp"
2⤵
- Process spawned unexpected child process
PID:1068

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\145052.tmp"
3⤵
PID:436

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZQhKhWrH\kAyTDehtKjqFOjBb.dll"
4⤵
PID:1368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4e4652879caf1e2dc3d88a3695b764fa

SHA1
b727ca1318384b58856fbf225280503a9b5a56d7

SHA256
d45562d489503e913ec5f564ea58d9856e26733bb88a5cbb962435fc9560e7b5

SHA512
bf21f389207e04396dafdd1e37ac549d8d450ccdfba455ae39f5053313caa995121d50ccfda7360c662146e0c1028da6d101d4133e3ff2c1dee16ad06c7ecd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\145052.tmp
Filesize
410.8MB

MD5
6629221abc936daa910e14a3fccc4151

SHA1
f809f6431c85554e3ebe3cb2e9fb96006ea00cad

SHA256
8b73010301854c0d26fb98ea020bc2bfe0703533f955ab4da8a204f93a97ff4a

SHA512
7ac33b333811a85dacefbb9ac9ac38691672f474c2cd4139ffca2c2ef298077484503716feb501718a1e5c62c807fe4dfc5aac3d967fe55529a19a5b78270252

Download Submit
C:\Users\Admin\AppData\Local\Temp\145106.zip
Filesize
795KB

MD5
7200a9fb6680cf36b8284742b2bbe0e3

SHA1
ab7f0edb20ba53418705af038907137cd87c6753

SHA256
4bf24e067d21602596bfa0d702ab8c881c84612fe5bbcd7ccb295559f96fc539

SHA512
c3969295c42d0c2a2ecdd5c71c316946b02e9820af66fc47f4313f43a44a70da3fbeb73617aec5ab0b189790f61c785f73e0b2305893389e684b47cdc8bf7dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3122.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar32CF.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
\Users\Admin\AppData\Local\Temp\145052.tmp
Filesize
365.9MB

MD5
f8cfdc90b19802e2ade06a1b4d1c21a2

SHA1
f0943e4c5ecab2b64b5df656ce46f95e9582102b

SHA256
e90eb964ddc11277ff9502f005a483a87c6f40403fbaa2cae70ad60d4a0a2e44

SHA512
6ae18d1d64f7c18b751595f1f021f96c8690a0ecbfc2899d407718032a1804412003b7f10c5dc25578afb890409b29264f13c310e11b02bbfe15a4d7eac75f5f

Download Submit
\Users\Admin\AppData\Local\Temp\145052.tmp
Filesize
383.2MB

MD5
e0aa9b9c6c43bf2c5eb29e4e53871cf3

SHA1
244538f17092915e5a93595126777d31e3b3d7ad

SHA256
04b750a493faa65bf4c995fe268878e35964d8b5bcd3cfa308a157c82afba691

SHA512
1992de119d05aa858e36d489ed51c3cdde6b139b182e07ce8526bd34ee9bd408548bc73a622b511a95ff1f2fc60d4f0dc9b493ae88b5883196510dd799f1d63a

Download Submit
memory/436-1696-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1368-1698-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1720-85-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-90-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-63-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-64-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-65-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-66-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-67-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-68-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-70-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-72-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-69-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-71-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-73-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-74-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-75-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-77-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-76-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-78-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-80-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-79-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-83-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-82-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-81-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-84-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-61-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-86-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-88-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-87-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-89-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-62-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-92-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-91-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-93-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-95-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-94-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-97-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-96-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-98-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-99-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-102-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-100-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-101-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-104-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-103-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-107-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-105-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-106-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-108-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-109-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-111-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-110-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-112-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-1455-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/1720-60-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-59-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-58-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-57-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/1720-1697-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/1720-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads