05a375d786ed166c57bd5b4b3d7aab0f8a3c020621e6d1c93feda5bac92b5fe3

General

Target

invoce No 301730 03.2023.doc
Size

521.2MB
MD5

afc31854a5b81d139781bb8f5da80dba
SHA1

5c4762423ecd2fdd48573332a6703b2b8cdb5244
SHA256

edd1f76cc33e5df06953a3a01f43250f4024ccaa76dca3a30fc9a589f9de99d3
SHA512

84283e9b92dc45fcfa3646799c9f9f45f00086a201730138e72c8dda0aeb451c19602463d35910c5539745d3c500211952445c802f9ad940524b203fc8f02e48
SSDEEP

3072:OeGZrTwWS6ZL1CkdXDhjaPLW8Nl+U/XqP82gng0o1JiM0rK:gZvNL1BdXNONLq5FarK

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1720	1780	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1720 regsvr32.exe
1768 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1720	regsvr32.exe
1768	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1780 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1768 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1780 WINWORD.EXE
1780 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1780	WINWORD.EXE

pid	process
1768	regsvr32.exe

pid	process
1780	WINWORD.EXE
1780	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WINWORD.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1780 wrote to memory of 1720	1780	WINWORD.EXE	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 1768	1720	regsvr32.exe	regsvr32.exe
PID 1768 wrote to memory of 524	1768	regsvr32.exe	regsvr32.exe
PID 1768 wrote to memory of 524	1768	regsvr32.exe	regsvr32.exe
PID 1768 wrote to memory of 524	1768	regsvr32.exe	regsvr32.exe
PID 1768 wrote to memory of 524	1768	regsvr32.exe	regsvr32.exe
PID 1768 wrote to memory of 524	1768	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 464	1780	WINWORD.EXE	splwow64.exe
PID 1780 wrote to memory of 464	1780	WINWORD.EXE	splwow64.exe
PID 1780 wrote to memory of 464	1780	WINWORD.EXE	splwow64.exe
PID 1780 wrote to memory of 464	1780	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\invoce No 301730 03.2023.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\232454.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\232454.tmp"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YfMQSkEtWpmSFwzgr\uRwngooKhvGSq.dll"
4⤵
PID:524

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\232454.tmp
Filesize
533.9MB

MD5
6c442d3235f3e60f7a9ea3efca0289ab

SHA1
98a3e3afbac75a582ffbc6d67c39a67fa7c97f63

SHA256
9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

SHA512
0a40b46ecde2142f60aaa406ddc06d912c8deb4fee14716de31e23b74718531c003ee6adebb10e47325c3fd67a1f7ef5ff51c72e9abddc7d18ed4bbb8ce9ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\232457.zip
Filesize
973KB

MD5
fb96c419bd0722716503e23598a1fab1

SHA1
72e86e52981ff5df29ca023cacf0d40a89037a42

SHA256
10992b465132f2bb4d25db0dcedb6994d81c64733de5412f06eb830ff65f18df

SHA512
96e814d473f30d6ebe6e93b3cfb436657c04e40472486677cebcbf53266d8801543f98237b42c791678a1ebc18935a0a6692734cb52f1431c51417dbc91c9b40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
93a53cfd8b33fb1b537c2a345cf6085c

SHA1
b756b718f7dde7f6fd396f8a08e3bdebd3d84de5

SHA256
51d221682f27863e8ac077465af816629bde207cbae7a3f7a1bb492db285cfa8

SHA512
48576f8d4a18306516ff8129eda75f4492af511c6058b20b9f476c6e7cce811a78465ba426b8f2ef3b20e738035039e6a8021b955d6534bc8ef9c6a727475cf3

Download Submit
\Users\Admin\AppData\Local\Temp\232454.tmp
Filesize
533.9MB

MD5
6c442d3235f3e60f7a9ea3efca0289ab

SHA1
98a3e3afbac75a582ffbc6d67c39a67fa7c97f63

SHA256
9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

SHA512
0a40b46ecde2142f60aaa406ddc06d912c8deb4fee14716de31e23b74718531c003ee6adebb10e47325c3fd67a1f7ef5ff51c72e9abddc7d18ed4bbb8ce9ab24

Download Submit
\Users\Admin\AppData\Local\Temp\232454.tmp
Filesize
533.9MB

MD5
6c442d3235f3e60f7a9ea3efca0289ab

SHA1
98a3e3afbac75a582ffbc6d67c39a67fa7c97f63

SHA256
9dd2387b18930f0dc67917b2b14c9146bfc6f395fe917d8decc3263011797efa

SHA512
0a40b46ecde2142f60aaa406ddc06d912c8deb4fee14716de31e23b74718531c003ee6adebb10e47325c3fd67a1f7ef5ff51c72e9abddc7d18ed4bbb8ce9ab24

Download Submit
memory/524-847-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1768-846-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1780-74-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-77-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-68-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-66-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-65-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-64-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-69-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-70-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-72-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-71-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-73-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1780-75-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-76-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-78-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-67-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-79-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-80-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-81-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-82-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-83-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-84-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-86-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-111-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-60-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-61-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-63-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-62-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-59-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-58-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1780-57-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads