Analysis
-
max time kernel
57s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 03:54
Behavioral task
behavioral1
Sample
eb56583140848441a045bbbfda89cfe0b251ca78e1205793208d533c67e717c8.doc
Resource
win7-20240221-en
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
eb56583140848441a045bbbfda89cfe0b251ca78e1205793208d533c67e717c8.doc
Resource
win10v2004-20240508-en
4 signatures
60 seconds
General
-
Target
eb56583140848441a045bbbfda89cfe0b251ca78e1205793208d533c67e717c8.doc
-
Size
32KB
-
MD5
28339b89921f268fda506e426ae4204e
-
SHA1
93f07829d30d466ea7bd844028892ac294763d34
-
SHA256
eb56583140848441a045bbbfda89cfe0b251ca78e1205793208d533c67e717c8
-
SHA512
ec9413c92a5bf1f0cd813d48b10f92c8c2755c91f339093d0fd922a2f0ce8f700d4b87c0b373ab127c97b5995c92d78f3311468a2086279685fe14ded879f895
-
SSDEEP
384:5wl8XAiSJPw+QD1IPucv++kCY50jXstOa:6l83+k+rXy
Score
1/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2180 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2180 WINWORD.EXE 2180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2180 wrote to memory of 2504 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2504 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2504 2180 WINWORD.EXE splwow64.exe PID 2180 wrote to memory of 2504 2180 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\eb56583140848441a045bbbfda89cfe0b251ca78e1205793208d533c67e717c8.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2504