091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd

General

Target

Kyocera-skc.com.doc
Size

208KB
MD5

96ab4a29276cee6daaf4d99286d3402b
SHA1

56a1c1ca9a23b6ee7cdd4bbcc321b6a5263eaedd
SHA256

091d65cc343eab8301709efb9461703e8302e0fb52f4121bc20dd073431e32cd
SHA512

dce4b4afda601436f92ce24271a7e13434dfdb64d6b7a3516197eed960d0137f967df4302b9afb2d18c7f664d22215dfd4488fef6404dffeb7bd00bca817a1a8
SSDEEP

3072:Xe054HEKTduag1iUJ8y9fDfl5a1QqzAwrUGtlz:1ycbEUJ8+bLaOqzAclz

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1896	1160	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1160 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1160 WINWORD.EXE
1160 WINWORD.EXE

pid	process
1160	WINWORD.EXE

pid	process
1160	WINWORD.EXE
1160	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Kyocera-skc.com.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\231657.tmp"
2⤵
- Process spawned unexpected child process
PID:1896

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\231657.tmp"
3⤵
PID:1736

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KoEawmMqaGqaQB\nPOYKOGJBxPsY.dll"
4⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\231657.tmp
Filesize
464.4MB

MD5
43c2d8cb9a4b91e84f1c9345a5c032c4

SHA1
fd578e91bf7bb32ebf41f28cac838162fd2b0d89

SHA256
0d264924e4159388da41ec439c2ab686c351330291e5aefd8c591aca809fe964

SHA512
17846176c1fb835461380a09d34624ac86bae5cdae1b96498d071759fef08301b5f5bd3fa7a2fa0c6f95ff0e83a7c27429466bf04804a977094dd803de449c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\231738.zip
Filesize
957KB

MD5
5d1329c1d2495c55a15c691b25a2841c

SHA1
8a236f176708c39b19801e57e4e1b1794583f78f

SHA256
9dcf4ee48d9b986ad1c8e55ea10f51c3ce8067ca99daca0ab7d0b37f3106e1b6

SHA512
8c1b1240a3324a9266d717863072e9bd93f15c112c57c671bdb0832bb8e278705bdc4497c96eb0c12c74f667f4a4fcdf375fbd9380535c669268df5f4a226200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
f02cb978c0a951bcdfad3a6dad3279f6

SHA1
2cd20eb04c7debea3ce0db8305144aadcaa40120

SHA256
df00733d95d699cc8e2ca4e4e5d3e108b74db1f172f9167c4731884f70c7645b

SHA512
30e1e690e00fe2c4ff99e239a8eff84396f6ffeb6136e0de5c54cee4fa63165edcb811266473489993d87e0e82eb3131462ad2012d611d959dd9c9f9813e7fba

Download Submit
\Users\Admin\AppData\Local\Temp\231657.tmp
Filesize
333.2MB

MD5
25e2a57bbda961b3f0668b6b5ebd8ea9

SHA1
c9f7f5be315c0d30ef23af12b76d40eff26e7f0e

SHA256
0642d66235eb2af5b67c7a8791724e1be578bc32d40eadaf7e34c55e12d3be8d

SHA512
88dfb28aa524361642ba0d868ece6700c6ec4fb5e5b191bb23be7dd65676fc83662a757d97b5faf044f4332f149af09338a85284dbc9d1ba6be5a52c11e01db0

Download Submit
\Users\Admin\AppData\Local\Temp\231657.tmp
Filesize
441.4MB

MD5
752554306b7f2baffa9fa5de57fad6ef

SHA1
34a51aebe1affc9a905742bf4e5e92dcf9aa9ca0

SHA256
22e213254fa1d0585973039840de62a9af1cd712bb0af5ae34a9fe5a6db5add6

SHA512
f78bcd4018bfea9fcc9ada95bd88a3c3967bdd084baf16af5a909300dda19e8b037d6ce27f7ec97826c196e3305c2928461dd61ebcb493cc67d7d22b7ded9e18

Download Submit
memory/520-847-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1160-76-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-79-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-64-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-66-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-65-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-67-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-68-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-69-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-71-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-72-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-73-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-74-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1160-77-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-78-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-63-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-80-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-81-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-82-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-75-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-70-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-83-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-84-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-86-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-111-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-62-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-61-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-60-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-59-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-57-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1160-58-0x00000000004C0000-0x00000000005C0000-memory.dmp

Filesize
1024KB

Download
memory/1736-846-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads