36f47fdefbb3ffe04a223d438c549805dde1945edb0da8bf067595db07187536

General

Target

sin título_9.doc
Size

547.4MB
MD5

d6d262cef373f6138c14fc5d1c4106d2
SHA1

6e858b0e6645148e1ce33de472eb88319376bb0b
SHA256

a2b814ddbc78ce727559c9cac6d80ad8776f8030ac9764382205731388facdb2
SHA512

a10ab044ef573a41419a4a8bc998eea9f8362d78871f404c7123649401c89a5ee7d9fe0f0cd5d1b2ea421ebfd8f2ffec979eae6c1d455b3d7fbe9d1f2a3e944b
SSDEEP

6144:zZRtBPT4N/uQaNULlPUvauNTklB7ShcbYdFf8UOPv:zZvJhfKd2amwYdKUq

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

624 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

624 WINWORD.EXE
624 WINWORD.EXE

pid	process
624	WINWORD.EXE

pid	process
624	WINWORD.EXE
624	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 624 wrote to memory of 1840	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1840	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1840	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1840	624	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sin título_9.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/624-58-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-60-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-59-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-61-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-62-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-63-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-64-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-65-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-66-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-67-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-68-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-69-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-70-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-73-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-71-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-72-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-74-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-76-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-78-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-77-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-75-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-80-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-79-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-81-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-82-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-83-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-84-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-85-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-86-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-87-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-88-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-89-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-90-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-91-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-92-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-93-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-94-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-96-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-97-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-95-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-98-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-99-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-100-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/624-101-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing