Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
02-11-2023 14:29
General
-
Target
2a1ea86d7062b81b8a01c7de64e3ea11.doc
-
Size
249KB
-
MD5
2a1ea86d7062b81b8a01c7de64e3ea11
-
SHA1
7f3a5cdc82804828333fda3dd30a7678cd20a90d
-
SHA256
cbc8823e0169b95c8acf6023433409bee7f26cff15efd0dcc644a6a95b9b4e76
-
SHA512
226ec240d2d3e28830893c15ebe69bca76ef90695e804910b0d242bec95cfa55d3879e2acc22f4bc866eb1431a14c1599fa2791a2b20e7bbc528e7785d8d9f1d
-
SSDEEP
3072:YZ0BTZ5/7IdefQUVXDfDts6nRq2ha0/L/ouT4UNsCiRT/mS8BeclBbN3rP1CVuj:vTDMdmQm79dkp4ziJmSElNbP1Ou
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 11 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a1ea86d7062b81b8a01c7de64e3ea11.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\143059.tmp"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\143059.tmp"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeC:\Windows\system32\regsvr32.exe "C:\Windows\system32\BbQzCamwWT\dbnOOw.dll"4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD527bf3d6de0fe458f7110bb656008811f
SHA1230b263d98d4c955e7b625c08318d184190d1d1d
SHA2563a12609a6375e0482b50455837928d94410d7ab3b76f86ff02321194694428e6
SHA512db86fff9b44bab921fbae81c75cd922ee89977fc29e5e4d219781258795c7bcb566ce36d2596bb651538aa29296ed981063c7bc1c8937b8fe1fb8712484ea3de
-
C:\Users\Admin\AppData\Local\Temp\143059.tmpFilesize
450.6MB
MD58c83c4d80241d2d642b5f5465485782c
SHA174d5f940db050bb7a24fa65a7c5a6bb88ab92a87
SHA256be19f6d253547161a3ceb4c808ae264cc80494f13b76a23838f779a722e57daf
SHA5125b770124c242268d982f4615bd0e6c0a07a5df81fd27bd39987a894de6b0f28159679372dbac7e565c58addb7e6c41c8499b217e9a4b5f68ecd3f1ff64f00e1d
-
C:\Users\Admin\AppData\Local\Temp\143121.zipFilesize
956KB
MD5766de46cd36b31b55a6afb0634775280
SHA1cfc32453b2b81fcd01399fde8ec74eed033222f4
SHA25672c6403f29d49ccc3fda21f6841923ceab131e81c9c9af5aab524b977b233301
SHA512f277168b290ae68faa0bf4241ddc039e06b85911eb3c4be832b24dc5d8501b1aa0594706551cddafb36e6077170565716c06906136e939338fb24f4ab5a4b4c9
-
C:\Users\Admin\AppData\Local\Temp\Cab9198.tmpFilesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
C:\Users\Admin\AppData\Local\Temp\Tar9257.tmpFilesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
\Users\Admin\AppData\Local\Temp\143059.tmpFilesize
412.8MB
MD5b914fe07a66eb0cb1e7f8fe447c16b1b
SHA1991ea86ea44044ca632f135fe052b4ec68ad8769
SHA2565a736e46c27a5d1653d79e5239585cef47e8aa4d3f5b917bd956d7f8aa83111b
SHA512730ae5c6efa142ef4bb6ce9cc06dc97dcacd73939d539210a43af6d74ad747f295d5c572f38e0492cafe7216b13a0d914590e3bfe71f470c06cca523189a6aa6
-
\Users\Admin\AppData\Local\Temp\143059.tmpFilesize
516.9MB
MD563ab0ab1ed4483ad09ce0c0402acb55e
SHA1d7185996c898eedb205467e6b6f73030c2baf5ce
SHA256f2616d392cbea6cb86883ce42b7ed0856823c2812e49b334346d7aec8a950e5c
SHA512e1b6425ff2bf945a06bf1a6a6509bc43ae583cdd4f91abdd3aa5c8ce66ee2c7da7f2b5128fd6e900aec0f1f411390df2fdbafd51ccda07d89a0e1ec3ab853448
-
memory/1208-90-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-844-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-6-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-7-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-8-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-10-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-9-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-11-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-176-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-13-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-14-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-15-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-16-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-17-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-18-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-21-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-22-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-20-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-25-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-26-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-28-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-29-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-30-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-31-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-27-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-24-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-23-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-19-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-32-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-33-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-35-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-36-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-39-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-40-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-43-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-44-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-45-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-52-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-54-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-55-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-60-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-48-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-38-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-62-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-63-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-65-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-66-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-68-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-61-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-37-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-89-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-2-0x00000000713BD000-0x00000000713C8000-memory.dmpFilesize
44KB
-
memory/1208-117-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-118-0x00000000713BD000-0x00000000713C8000-memory.dmpFilesize
44KB
-
memory/1208-328-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-5-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-12-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-177-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-213-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-212-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-234-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-261-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-289-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-290-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-291-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-292-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-293-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-294-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-295-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-296-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-297-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-325-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-326-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-327-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-120-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-390-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-419-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-447-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-474-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-556-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-557-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-559-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-561-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-563-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-589-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-590-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-624-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-649-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-675-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-703-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-705-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-732-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-733-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-760-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-772-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-773-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-774-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-775-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-776-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-780-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-814-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-815-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-147-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-846-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-873-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-900-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-901-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-902-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-903-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-906-0x00000000004E0000-0x00000000005E0000-memory.dmpFilesize
1024KB
-
memory/1208-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1208-0-0x000000002F7F1000-0x000000002F7F2000-memory.dmpFilesize
4KB