7770b38eb5e7a7ceba40f2ae8767f4e5714e814e4d338fc20062929c068d149f

General

Target

Kuh.kumamoto-u.ac.doc
Size

231KB
MD5

88a6a16bad4db86859538845078f132c
SHA1

7d1ee1b7cc321257aeae09676fa27111c90eee2c
SHA256

7770b38eb5e7a7ceba40f2ae8767f4e5714e814e4d338fc20062929c068d149f
SHA512

1a397dc2ac81d704603ea7ceda392ed060db8e37d44dde0d8a46ed95760cda84190136572774db8dd27bcb82f104f71640a7ebbc52ab2afc58e1dff79e7b4761
SSDEEP

3072:ZA+PsTZ4y349tHRZ8N0AV62fEKJ3GApcRrsUvjUwKZXOl:ZPkTmm4PH8N9VVEi3GRrRyK

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1880	2040	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1880 regsvr32.exe
436 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1880	regsvr32.exe
436	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2040 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

436 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2040 WINWORD.EXE
2040 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2040	WINWORD.EXE

pid	process
436	regsvr32.exe

pid	process
2040	WINWORD.EXE
2040	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WINWORD.EXEregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 2040 wrote to memory of 1880	2040	WINWORD.EXE	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 1880 wrote to memory of 436	1880	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1336	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1336	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1336	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1336	436	regsvr32.exe	regsvr32.exe
PID 436 wrote to memory of 1336	436	regsvr32.exe	regsvr32.exe
PID 2040 wrote to memory of 1128	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1128	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1128	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1128	2040	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Kuh.kumamoto-u.ac.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\002946.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\002946.tmp"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CXKjMf\nkzSZC.dll"
4⤵
PID:1336

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\002946.tmp
Filesize
534.9MB

MD5
c1207422044546c531c6272122d8ca86

SHA1
d9706680f9797aab1407658d906fb38035e41d0b

SHA256
7510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a

SHA512
0d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\002959.zip
Filesize
974KB

MD5
b6e41fb09958d9c062ea82d492db0b8b

SHA1
a21e6959264bb30d0f6ed3066bbae55f03fd7902

SHA256
7c92a1613c16ae9c2d401d18e1b13a58a7c96e85ee48ff3a68250ca2e35f00d1

SHA512
4d06f870693850d3c0c3fee74331ec50a634a4c904b403644dc332147a44e248d89c2d72c64632b514b7beb7f0a410916277bed9a26ab65b4568da92b71d0ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
7e7cd67957b9c89cced08ec70fc76541

SHA1
ceb02a2b951afecd2a1a20dc8fb0ee3d16093e40

SHA256
670eb8f5c071a0cdfc99ab532276c9e780543d01693c98e8693aed0fce61938e

SHA512
ccb4ae625d34622507164c2225248c8deb82ccac7bb8eefc72f7151d81256037d8dedce7e65af90d18d40c1e7b06d3a057ee4a5420dc086308a77c65dfacceb2

Download Submit
\Users\Admin\AppData\Local\Temp\002946.tmp
Filesize
534.9MB

MD5
c1207422044546c531c6272122d8ca86

SHA1
d9706680f9797aab1407658d906fb38035e41d0b

SHA256
7510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a

SHA512
0d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28

Download Submit
\Users\Admin\AppData\Local\Temp\002946.tmp
Filesize
534.9MB

MD5
c1207422044546c531c6272122d8ca86

SHA1
d9706680f9797aab1407658d906fb38035e41d0b

SHA256
7510c2f3b2095b817fffcaab8c048c17afe5e8ec75906638e9c709e7e49ea13a

SHA512
0d02bd03dab054abc08a9ab0c17e2518a9edb95de814c996c14bbef8bdb595d2a1c772d04b43402a4dce9a88c22ae4f08788189e3f481b2d58618bcfe4009f28

Download Submit
memory/436-842-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1336-847-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2040-76-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-82-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-66-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-67-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-68-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-69-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-71-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-72-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-73-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-75-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-77-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-78-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-81-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-80-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-64-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-79-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-74-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-70-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-83-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-65-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-84-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-111-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-63-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-62-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-60-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-61-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-59-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-58-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download
memory/2040-57-0x00000000003C0000-0x00000000004C0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads