c7cb8dbdcd8cfdb6d2440080afc3e715b6984b5ab2b88e9919fbb70136325368

General

Target

CU211490942534_202303220815.doc
Size

290KB
MD5

9e165cbfb9c884725bbd4df0f83b139a
SHA1

713a6d2bc02f69c677c15a6552185eca010394dd
SHA256

c7cb8dbdcd8cfdb6d2440080afc3e715b6984b5ab2b88e9919fbb70136325368
SHA512

cc0a6546df04e53546ab456d380c61b8859555e7219a34f42161157b157d59bfc31caff7b216be57186aa9d369fc7d2a0f64e2c9bf53956941b779478b52261f
SSDEEP

3072:Fnmahvzr1u2/MbZWMRch0bND6b38zFjjac92mM0WDTAG7UaVGVFoQ9cTMsTViEdp:YkvgZWth0bd6b3QnJ2JbuaaqTMCJp

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	864	2040	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

864 regsvr32.exe
1692 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
864	regsvr32.exe
1692	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2040 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1692 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2040 WINWORD.EXE
2040 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2040	WINWORD.EXE

pid	process
1692	regsvr32.exe

pid	process
2040	WINWORD.EXE
2040	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WINWORD.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 864	2040	WINWORD.EXE	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 1692	864	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1920	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1920	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1920	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1920	1692	regsvr32.exe	regsvr32.exe
PID 1692 wrote to memory of 1920	1692	regsvr32.exe	regsvr32.exe
PID 2040 wrote to memory of 832	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 832	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 832	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 832	2040	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CU211490942534_202303220815.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\001541.tmp"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Users\Admin\AppData\Local\Temp\001541.tmp"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZMVJijX\ptcGHKLobZjtNX.dll"
      4⤵
      PID:1920
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001541.tmp

Filesize
477.1MB

MD5
93af932a5fa3ae4fa7646386418da305

SHA1
f69fb2fd675b8c5aed747e99229372006654af79

SHA256
b949cc17b6f53ecfebb8900e03fda84677c63cc99b72a3a8b1c2e9ed4646e158

SHA512
9c24b99a2eb7b25ec4597d6a80441835c7a4c19d255b699c249c6f695d9117079d3694619a02774a8d330e5a8f1d92c26c0150f820a5a772cfad574376eefbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\001607.zip

Filesize
949KB

MD5
920beeae5812bf6193115e94616d0c40

SHA1
363df991fd787fc0e33a450d8c1ee7b50b6d5792

SHA256
24f0b8bc8eee58c0ea36935fc1c969047132b41f5e0e5fb64273062a0c24515b

SHA512
4bb5f9cdbbd16dcbe0afbd534efbddab362159392211fdf658772187d6108ffea65fa5eb7ab34a53e6a6b67521fa0a8bc29917ba01be0e7f971994a74f839d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9304aaabd2632bba83c7ca21a8e44e95

SHA1
54ef3fd1eb3d5b2848bd8ed05c6b0fd0306cd0cf

SHA256
7665856b148a02b19b477d93cfd38fc375060427a5196e411de10ba3c83a0f66

SHA512
9772515114e50ec8d45070fc90a0a3a70244ce699f4b519dea3ace07458f9a8b884aea1d8723c16c3fa7d0fb85d7f2ddd5349135fe1e5b629c60e90c37f927d2

Download Submit
\Users\Admin\AppData\Local\Temp\001541.tmp

Filesize
435.8MB

MD5
d0e156028f398b12d442e39e26e33b3a

SHA1
4cfdce54863041cf9aeb057a90903ae784ee424f

SHA256
3184c8651467ae6762f942a34e3273c583b15d05bc41ac6a00e65c603c25d86e

SHA512
7482bc9f73c447fac3813b6186057073aec8394c20891589fb77efea1a0d8b1e4c7bd6bdf46c339d36c7ad36e3ecd428cdadb5d0da57c21fd5e19910accf49c5

Download Submit
\Users\Admin\AppData\Local\Temp\001541.tmp

Filesize
509.9MB

MD5
c03951ac70552d5c6ddaac720916be61

SHA1
a7e86222b50fca01b5ef42fd4923c5b26435cee2

SHA256
6dc3bd52836a6cc136c6806ef153e69501342183c0a3509bdc8f477d34d0a16f

SHA512
8e6f6a1e1176df75dc1b316a670acf3bb1bd848c2951e975cec1f1f59d0178f9a630ec27c4fa7c7982a7d366abec27a2408f5fa3571b559005dc79a8ad8c3d4a

Download Submit
memory/1692-842-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1920-847-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2040-75-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-82-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-67-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-68-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-69-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-71-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-72-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-73-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-74-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-76-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-77-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-79-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-80-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-81-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-66-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-78-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-70-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-65-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-62-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-83-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-84-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-111-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-64-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-63-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-61-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-57-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-59-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-60-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/2040-58-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads