46565a6680f1109b7e2992372ce32198250848f8a76272400a00741072982787

General

Target

5458353974866046490330130384.doc
Size

215KB
MD5

eb955ede0aec078ab68cfa3961d7c51f
SHA1

2be16fceb95d47fb068f336da92f51a70342be2e
SHA256

46565a6680f1109b7e2992372ce32198250848f8a76272400a00741072982787
SHA512

88c60ed3bec8486b048a71fb1e803a64a390fe2c35b859f06aa5ac21d28c9514d59bc14da45a89579edae9e5a968ba1c92f1c2e5582fbcb1d3001a62bec78e82
SSDEEP

3072:rtDUowQvvcXbKWVLarYTEDNxNQ5uBBzwFWIVMRcQDNu9spD3qWjx9:ryorvEm+LaMTEfe5Awrw4WN9

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

848 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

848 WINWORD.EXE
848 WINWORD.EXE

pid	process
848	WINWORD.EXE

pid	process
848	WINWORD.EXE
848	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 848 wrote to memory of 572	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 572	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 572	848	WINWORD.EXE	splwow64.exe
PID 848 wrote to memory of 572	848	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5458353974866046490330130384.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
19f0e0a3c23ea68e45a81eb9460929d2

SHA1
3ef936cd2435e8cb41c7cc3507e5ddf9ba076496

SHA256
6847c17945c266353deea3882ae7ab1ce4274ced55201fc4b1072b3e90a1388a

SHA512
3c1195c639f0342825c653d657cd9f8f9b12f895407942cb4bd3e6e2de30124b95fcd209d888e01de9fff34f59f46464cf8baed6ea34b91664d53630404c33d8

Download Submit
memory/848-68-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-59-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-73-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-60-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-62-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-63-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-64-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-66-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-65-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-67-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-69-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-70-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/848-57-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-58-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-74-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-75-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-76-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-77-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-79-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-80-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-81-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-82-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-78-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-71-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-83-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-96-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-109-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/848-72-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing