89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e

General

Target

mof-npd-circ20240103.docx
Size

1.6MB
MD5

8202209354ece5c53648c52bdbd064f0
SHA1

683210af38ef15f1bacb67ddc42f085bee05cf35
SHA256

89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e
SHA512

df8d1aaf4798541f25797c2928db9c90f03f534f5a326d05e160ae4f293fd0abd68b5e4ac9468da7a6af82a5b6eb2a79395367b2cdb514b57c76e5bb958cb47a
SSDEEP

49152:JJb+67s4Y+WJ9UhMQzTDdwPaQx3fNdK1HAgCclqDhDAy:/f2mhMQ3DEaG3eHAgCclgEy

Score

1^/10

Malware Config

Signatures

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\president-gov-lk.donwloaded.net\a4884a53\file.rtf	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2232 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

2232 WINWORD.EXE
2232 WINWORD.EXE
2232 WINWORD.EXE

pid	process
2232	WINWORD.EXE

pid	process
2232	WINWORD.EXE
2232	WINWORD.EXE
2232	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mof-npd-circ20240103.docx"
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
412c80c6c0e431989236e56e473678a8

SHA1
e6cbba7bb9f8d597f671f6588dd9e8876641bbdb

SHA256
c78c66a4571fb77d7496416a206f1da5306b17fb954d02e1d18c127a6f4f2ce6

SHA512
e3496328b7ae38626cc858c5453a3d57d05ba0c072ecc8a936d3fd2ad6e7970f90378b78e34d6f559280247e74539d862ec4f781fbc21703dae356c8307861c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{67F0942C-3428-420D-A430-91EEA3139B28}.FSD

Filesize
128KB

MD5
3b325faa4ea56e0000abc457ff84f299

SHA1
129f0560ccdffe08a3581c8fa54a503d3320e373

SHA256
c57fb09912223d9b1936070532093867ac609a24717da01b34d6848c5155d066

SHA512
55bde07d9f18853b4801a7f8e5b25f5fd011e774c7e087e53a7ac2b187816f159d3b2d006b2f982407e91062ad6de22d7529d4199228542c28792d9c09f526bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
9814a82516f683a38e35d9d383d69e76

SHA1
9dcd8e99e2c8292bad38fd5fc39fce7d87c15aec

SHA256
7a20f2d61a9f1429e94a457986643b4b5124ece44204c395a3ab72277ddb7d2c

SHA512
06cc2d5ca537d51f37a2bc4e759000bed6cf37304fd95cdf8d4617a7701405c80d3f1cce1f5812460582af649bc19ab8d8e332a1d901d8aad961509b742ec4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7EDF7860-94C4-43D4-B43A-CAC75B7C7398}.FSD

Filesize
128KB

MD5
632e885de8cb19b2291ea258e74d0c59

SHA1
08a5cbe8c3c424ce7ea2a572ce610a864924f6fe

SHA256
b0a91cdeb6a8da07af25450b6416855a32ceb1af2d9fd19a126488a52604b609

SHA512
6d9b07cf6fba3d4223f6580492534adec04a35a2542b1b50448ec18fb94ba75d39eb658dc88857ab6d0c0fcf1c8b3ed8e9f39af52e73f5df37f9d51cb6ee5cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4261.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4300.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6F49A5D6-E261-4A12-B566-00FFD97B4716}

Filesize
128KB

MD5
fb9c50932f901209addec77399de72ff

SHA1
f9286c32282f06ede45e3d0f311ffa5430fde301

SHA256
32d1923cb4c650a3f1c9a0aecadbcd0b6fc33a542e06c917e32b2102861dbf36

SHA512
2b6e1f6e6dd13c57556c4d14ecb89ff8f380e9b63224113f345d52c2f7a9a0b2bb02313f6632d7ceffaa01b8c85db949407a5903a0ecc7aedd7ed9b518e3cdc6

Download Submit
memory/2232-0-0x000000002F651000-0x000000002F652000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2232-2-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download
memory/2232-164-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing