Overview

overview

10

Static

static

8

S418666808...57.doc

windows7-x64

10

S418666808...57.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S4186668082_202303220757.doc

  • Size

    260KB

  • MD5

    324af6b62d75ef88de29fe68c8ded492

  • SHA1

    1825da5e81ff30ac9901d021d1b89032dfc96bcc

  • SHA256

    e0f66132f138b6e15360fdc2478d46236c88048182128371b0d507b398937034

  • SHA512

    fd6200b9ab5465e48f6125ffcb2559ae281cc782108947493a2e59436eb25fa559c0d3605c25bf01523ee47f9fcb71c04ce7c9d95229d59dcf98effe385ebecf

  • SSDEEP

    3072:I7HvJK9MzDIQPf0+SUoUXkgQjaap0GnRcegvsjkzIDEp+XlRNBueyeJY:ITthS8kTjBRcjvsgzlYXlseyP

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\S4186668082_202303220757.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\235735.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\235735.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BtBue\HfCX.dll"
          4⤵
            PID:1716
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1064

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\235735.tmp
        Filesize

        516.9MB

        MD5

        63ab0ab1ed4483ad09ce0c0402acb55e

        SHA1

        d7185996c898eedb205467e6b6f73030c2baf5ce

        SHA256

        f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c

        SHA512

        e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\235737.zip
        Filesize

        956KB

        MD5

        7a8514e64a4fc18c49e6b99a74809f53

        SHA1

        48eaaa9149d421dd357a4c9bbf010b7476955752

        SHA256

        810bbe720d6286bccae93e9cba11adbb55b1900ac18799ed0dc36508ba2353e3

        SHA512

        8225ba0d1d28e1e549bb47e24b1e1eb04b878f188c7e19331ac32db76f9736e377fcfa46d8ad993f0fbf88f5cbcd5674519a7556e86c12d9a13cd81d7deb53f4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        24d91d59a90743771d331c5b5a5f057d

        SHA1

        db27b235c3284d475487ca738532fd9e98b2ac7d

        SHA256

        736b03cc53c8d39a573131f430af531a3d5e69adb41b56665b5e9ff548e71202

        SHA512

        5ae187aa9f3d78d0e46f9a08c38276db1b9453f729fbc5542439b300c3f1380769aefa20fee3fa8fecc1dc535e4b4911ea84469309577d1cdfa7e82bd413d3d9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\235735.tmp
        Filesize

        516.9MB

        MD5

        63ab0ab1ed4483ad09ce0c0402acb55e

        SHA1

        d7185996c898eedb205467e6b6f73030c2baf5ce

        SHA256

        f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c

        SHA512

        e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448

        Download Submit
      • \Users\Admin\AppData\Local\Temp\235735.tmp
        Filesize

        516.9MB

        MD5

        63ab0ab1ed4483ad09ce0c0402acb55e

        SHA1

        d7185996c898eedb205467e6b6f73030c2baf5ce

        SHA256

        f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c

        SHA512

        e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448

        Download Submit
      • memory/1716-847-0x00000000002C0000-0x00000000002C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1888-842-0x0000000000480000-0x0000000000481000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2008-106-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-376-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-187-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-214-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-241-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-268-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-295-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-322-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-349-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-160-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-403-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-133-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2008-83-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-82-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-81-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-80-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2008-79-0x0000000000390000-0x0000000000490000-memory.dmp
        Filesize

        1024KB

        Download