Analysis
-
max time kernel
57s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 03:56
Behavioral task
behavioral1
Sample
7b2aa64dd491505a0be6dafa1798e4323c55597536e691fbf62459618046d22e.doc
Resource
win7-20240220-en
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
7b2aa64dd491505a0be6dafa1798e4323c55597536e691fbf62459618046d22e.doc
Resource
win10v2004-20240508-en
4 signatures
60 seconds
General
-
Target
7b2aa64dd491505a0be6dafa1798e4323c55597536e691fbf62459618046d22e.doc
-
Size
32KB
-
MD5
6362b622809dbbffe5d938389ed08e7e
-
SHA1
8408de2a9e159e68bfdc40973afb8920e16820c5
-
SHA256
7b2aa64dd491505a0be6dafa1798e4323c55597536e691fbf62459618046d22e
-
SHA512
37cf4934a721d241b34ec66841d9028eb8505ea39074e5fd9206e149bbb06c8acd5ed3a27794d0a009bc84d3b7649351c266efc783cb5e3260e8ec79f00b7e2b
-
SSDEEP
384:bj3YZiSJPw+QD1GCXOBaaUAjB50jeTst/vC:H3D+kNXKdb
Score
1/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2500 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2500 WINWORD.EXE 2500 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2500 wrote to memory of 2508 2500 WINWORD.EXE splwow64.exe PID 2500 wrote to memory of 2508 2500 WINWORD.EXE splwow64.exe PID 2500 wrote to memory of 2508 2500 WINWORD.EXE splwow64.exe PID 2500 wrote to memory of 2508 2500 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7b2aa64dd491505a0be6dafa1798e4323c55597536e691fbf62459618046d22e.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2508