ae69b2d4adbfdc6c1b9226120619ad6e3f00388f14273d19e659c9c09105c829

Analysis

max time kernel
135s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08eced1f9106516cb6786bdf3306706a.doc
Size

38KB
MD5

08eced1f9106516cb6786bdf3306706a
SHA1

b3beb8ca7ad7e1a0919df7f38935be924d9cd012
SHA256

ae69b2d4adbfdc6c1b9226120619ad6e3f00388f14273d19e659c9c09105c829
SHA512

5b4635dd4f5a1739b7ec5accc96ed4cf2d87a3591994dafda791aa51437dfc9ff310ce86f701ae2e6516b8ea3b0ae9b4e5af4dc87fcea53b019a04619b57e099
SSDEEP

384:TpsqrsnLzjaXgMdVCf2lLh52Tlz6DPMjyFtX0:TS0CfQdL3

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 3 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x0005000000019384-33.dat	office_macro_on_action
behavioral1/files/0x000600000001930c-98.dat	office_macro_on_action
behavioral1/files/0x00070000000193a1-152.dat	office_macro_on_action

Deletes itself 1 IoCs

pid	Process
2376	WINWORD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\TypeLib\{6F087390-6919-4832-BE0F-140C19FA4D13}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F087390-6919-4832-BE0F-140C19FA4D13}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\TypeLib\{6F087390-6919-4832-BE0F-140C19FA4D13}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F087390-6919-4832-BE0F-140C19FA4D13}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0001.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0005.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\~WRD1752.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2376	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2376	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	WINWORD.EXE
2376	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 968	2376	WINWORD.EXE	31
PID 2376 wrote to memory of 968	2376	WINWORD.EXE	31
PID 2376 wrote to memory of 968	2376	WINWORD.EXE	31
PID 2376 wrote to memory of 968	2376	WINWORD.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\08eced1f9106516cb6786bdf3306706a.doc"
1⤵
- Deletes itself
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08eced1f9106516cb6786bdf3306706a.doc

Filesize
39KB

MD5
1e3b7f132dce451b86a2bf62d48997b8

SHA1
5c4c2c2f08ec1333c62ce1b7bcd5b7498f39152d

SHA256
ec0a495059722f901c9f56ce489e7d3b449fd5bb554b176d5af9fa6421128ce8

SHA512
5b60b3f7dd689931b7c960b4470acda9e79b5307373ca5c342f58e916498e45d3c142f74a037e1abd24fc5853f45be3d5a30a0eee485ddc3d0486a7e138b08ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\08eced1f9106516cb6786bdf3306706a.doc

Filesize
39KB

MD5
cf9f4f4c1213346ccf832af583ed19a0

SHA1
76bc040df176098bb237155f178a7c7980977112

SHA256
c8f89a640eb8c0b076c6e617cbe2f3780e7d7531daf322e9277313eba69dda18

SHA512
36a1eb01e320fd0ebdd32b95e9900e5dd766d6d0b17a7cc1a1d437d241781949168f08ffd6fc5d3fbdcccb59824d6756b89bae5e22a55489f9a17cbefd423dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\08eced1f9106516cb6786bdf3306706a.doc

Filesize
39KB

MD5
5bab8a8028073e9234cb37718ced1b14

SHA1
25bbf6dfc5c56be21c02814d2c0712660758ed25

SHA256
51639db43967059fa132f5e11c2d672f87d640ad2e94f171007090bfafe86820

SHA512
64aaa4f3bca65020398e8f63ebef343ccb9f47ea09578e0d25d1a0739c4dea342e793a039802748ffc1474d6585842fc8b15ae02cb85d7c69486cbfef6fc0da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD1752.tmp:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
26KB

MD5
494fbd20d901b4576820930c0add0067

SHA1
ad0860a47407395ffbfb31d8fc18bf0c2248c8c9

SHA256
5d1aa77d7f18f78450f3e92803198826dfb8ceb646b5444c73ca018036e89494

SHA512
6c7bd3608c55d75c4929b361c65da4e50ba7f11280c461a0d23c337b04eaa11a3d3b5fdddf26516257c3fb8d3fd1a3bd7e3a89406986bc720180a27dead96fd4

Download Submit
C:\footprint.$$$

Filesize
2KB

MD5
58d83041ef4e2c7479987249a49533bc

SHA1
9a10135e34066d5c4ed0cc80cbc1a9cc2859847f

SHA256
54cb726fdc9bfc054f4ce2d4959633e0d30d28a04bbfd82f42a6f032b9362134

SHA512
02a62af7399d0a804f61786194e5b03bb536b63d822deb88ef0ca38142bb010a893cf8eb325db5d04be96bceea74f465e2015cca57e65fa5ce7750014755b589

Download Submit
C:\footprint.$$1

Filesize
1KB

MD5
bd4a8992a606721c9e1974c0e9b7d37a

SHA1
96e604b407dbf93ce90ab8ea722518e606f1f370

SHA256
a00badfef38ee36a4b2cf6d622d78372e456f11a0942d2029cf1f71115d0c70f

SHA512
e5ac725751398a521a194ba26ee2f3158167182cfb43b116ab6a422677692825f5f978a965b0a7ddf6e92fb840777d4d0865873fe0c98aed46290213cdb238cc

Download Submit
memory/2376-14-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-58-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-13-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-11-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-0-0x000000002FBB1000-0x000000002FBB2000-memory.dmp

Filesize
4KB

Download
memory/2376-10-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-44-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2376-45-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-46-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-47-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-48-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-49-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-50-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-51-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-52-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-53-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-54-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-56-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-57-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-12-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-61-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-60-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-62-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-63-0x00000000058E0000-0x00000000059E0000-memory.dmp

Filesize
1024KB

Download
memory/2376-7-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-9-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-8-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-109-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-111-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-115-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-6-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-117-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-116-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-114-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-113-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-112-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-108-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2376-2-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2376-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2376-172-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download