Analysis
-
max time kernel
57s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 03:51
Behavioral task
behavioral1
Sample
5bfc6fd347a427976ea5092dc850df6c1516bfc14d14588f096d37db54ed20fb.doc
Resource
win7-20240215-en
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
5bfc6fd347a427976ea5092dc850df6c1516bfc14d14588f096d37db54ed20fb.doc
Resource
win10v2004-20240508-en
4 signatures
60 seconds
General
-
Target
5bfc6fd347a427976ea5092dc850df6c1516bfc14d14588f096d37db54ed20fb.doc
-
Size
32KB
-
MD5
bd3f4a1d94d7ce3996887a7bd48500df
-
SHA1
5dc0fdd9cd6396be1b13e6e2f9be1b4229440719
-
SHA256
5bfc6fd347a427976ea5092dc850df6c1516bfc14d14588f096d37db54ed20fb
-
SHA512
7d7e28b8040aa9d1440db66750ea1956134ecdab2035243332de9ff3d757b2ef1d49e0e28261724174f258c12becbb46ac3f7478abc3a6d241a2b2973d58b2f3
-
SSDEEP
384:fgXonFUiSJPw+QD1afonwqZLg50jMstgA:IXonZ+k8et8
Score
1/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1288 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1288 WINWORD.EXE 1288 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1288 wrote to memory of 2800 1288 WINWORD.EXE splwow64.exe PID 1288 wrote to memory of 2800 1288 WINWORD.EXE splwow64.exe PID 1288 wrote to memory of 2800 1288 WINWORD.EXE splwow64.exe PID 1288 wrote to memory of 2800 1288 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5bfc6fd347a427976ea5092dc850df6c1516bfc14d14588f096d37db54ed20fb.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2800