Analysis
-
max time kernel
58s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 03:59
Behavioral task
behavioral1
Sample
3a45ae688a6fc85ba5dbbf728d95ea8332b050871db0f2546bde5831cdb46d00.doc
Resource
win7-20231129-en
5 signatures
60 seconds
Behavioral task
behavioral2
Sample
3a45ae688a6fc85ba5dbbf728d95ea8332b050871db0f2546bde5831cdb46d00.doc
Resource
win10v2004-20240426-en
4 signatures
60 seconds
General
-
Target
3a45ae688a6fc85ba5dbbf728d95ea8332b050871db0f2546bde5831cdb46d00.doc
-
Size
32KB
-
MD5
382d73b849e8db58cd932546dc3c50a4
-
SHA1
c21023ebc16b6197a7a8098e262da133bca74838
-
SHA256
3a45ae688a6fc85ba5dbbf728d95ea8332b050871db0f2546bde5831cdb46d00
-
SHA512
f10da526ae20e57dbdcc53e35a44a29dc1acc8c2d50bec17088c5c3fe4dd456feb88c28255d06fd6871df7273f621961496ae62815aa1828b55c08f128f0d885
-
SSDEEP
384:AHgJifiSJPw+QD1z4n9cJQClqX50jRHst7+:SgJj+k89ow
Score
1/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2232 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2232 WINWORD.EXE 2232 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2232 wrote to memory of 2564 2232 WINWORD.EXE splwow64.exe PID 2232 wrote to memory of 2564 2232 WINWORD.EXE splwow64.exe PID 2232 wrote to memory of 2564 2232 WINWORD.EXE splwow64.exe PID 2232 wrote to memory of 2564 2232 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3a45ae688a6fc85ba5dbbf728d95ea8332b050871db0f2546bde5831cdb46d00.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2564