Threat Analysis Report: Hash Values File Details Environment

McAfee Advanced Threat Defense
| Threat Analysis Report
File Name SPIDER.doc Threat Level ⬤ 5 - Very High
Malware Name TYPE_TROJAN Engine GTI File Reputation
File Submitted 2021-04-13 03:59:50 UTC Processing Time 155 seconds
File Size 51,712 bytes Sandbox Replication 147 seconds
Show More Hash Values File Details Environment
MD5 Hash Identifier 5B24E7C884880A7ABDD53975AF2E565E
SHA-1 Hash Identifier 62295E55C573B30847235B69837153CB109B267E
SHA-256 Hash
7D72F078EE28B94396B051CEC47E57B665A205C09D8772E8FD631CC9ABB7DE64
Identifier
Screenshots 17
Hide hash values
File Type F
Hide file details
Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit
Windows® Internet Explorer version: 8.0.7601.17514
Microsoft Office version: 2007
PDF Reader version: 11.0
No Flash player installed
Flash player plugin version: 22.0.0.209
Platform Version 4.12.0.7
Detection Package Version 4.12.0.201112
Hide environment
Behavior Classification
Behavior Severity
Exploiting, Shellcode ⬤ 2 - Low
Detected scripting content embedded in the sample ⬤ 2 - Low
⬤ 1-
Offile file contains VBA code
Informational
Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 1 - Informational
⬤ 1-
office file Spawns printer spooler
Informational
⬤ 1-
Informational
⬤ 1-
Changed the protection attribute of the process
Informational
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 1 - Informational
Retrieved system information such as Processor Architecture,Number ⬤ 1-

Processors,Processor Type Informational
Processors,Processor Type Informational
⬤ 1-
Informational
⬤ 1-
Disabled attach/detach notifications from dynamic link library
Informational
⬤ 1-
Contained long sleep
Informational
Spreading ⬤ 1 - Informational
⬤ 1-
Informational
Persistence, Installation Boot Survival ⬤ 1 - Informational
⬤ 1-
Informational
Networking ⬤ 1 - Informational
⬤ 1-
Informational
Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 1 - Informational
⬤ 1-
Informational
⬤ 1-
Contained long sleep
Informational
Processes Analyzed
Name Reason Severity
SPIDER.doc loaded by MATD Analyzer & dropped by SPIDER.doc ⬤ 2 - Low
splwow64.exe executed by winword ⬤ Unverified
Timeline Activity
Processes Files Registry Operations Network Operations Multiple Operations
Select Any Area to Zoom In
SPIDER.doc
s plwow64.exe
0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108 114 120 126 132

Offset in seconds
Jump to Timeline Details
Timeline Activity Details
Time Offset Event Details
00:00:000 Others Initialized a critical section object and set the spin count for the critical section
File Operations,
00:00:000 Retrieved the full path for the module
miscellaneous
File Operations,
00:00:000 Obtained the path of the Windows system directory
miscellaneous
Process Operations, Retrieved information on a specific string in the current activation context
00:00:000
miscellaneous
Process Operations, Obtained the contents of the specified variable from the environment block of the
00:00:000
miscellaneous calling process
Process Operations, Changed the protection attribute of process address: 0x2fc21634, new attribute:
00:00:000
miscellaneous Execute_ReadWrite
Process Operations, Changed the protection attribute of process address: 0x2fc21634, new attribute:
00:00:016
miscellaneous Execute_Read
C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll
20000
00:00:156 Files Opened
10000000
00:00:156 Registry Opened HKLM\Software\Microsoft\.NETFramework
00:00:156 Files Read C:\Windows\Microsoft.NET\Framework\
00:00:156 Registry Opened HKCU\Software\Microsoft\.NETFramework
C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
20000
10000000
20000
10000000
20000
10000000
20000
10000000
File Operations,
00:00:156 Obtained a set of FAT file system attributes for a file or directory
miscellaneous
HKLM\Software\Microsoft\.NETFramework
00:00:156 Registry Read
InstallRoot
File Operations,
00:00:156 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
miscellaneous
HKLM\SOFTWARE\Microsoft\Fusion
NoClientChecks
00:00:172 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727
00:00:172 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion
00:00:172 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
Registry Operations, Enumerated the values for an open registry key

00:00:172
miscellaneous
20000
10000000
20000
20000
10000000
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config

Read
Normal
UseLegacyV2RuntimeActivationPolicyDefaultValue
OnlyUseLatestCLR
00:00:235 Others Retrieved the current local date and time
c:\windows\splwow64.exe
00:00:297 Process Created c:\windows\splwow64.exe 12288
File Operations,
00:00:328 Retrieved the full path for the module
miscellaneous
00:00:328 Registry Opened HKLM\System\CurrentControlSet\Control\Print
HKLM\System\CurrentControlSet\Control\Print
SplWOW64TimeOut
ff7f6cd8
00:00:328 Thread Created
Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:00:328 Others
format
ff7fa838
00:00:328 Others Obtained information about an access token
Process Operations,
00:00:328 Enabled an application to supersede the top-level exception handler
miscellaneous
ff7faa2c
Process Operations,
00:00:328 Opened the access token associated with a process
miscellaneous
Process Operations,
00:00:328 Opened the access token associated with a thread
miscellaneous
Process Operations,
00:00:328 Retrieved the Remote Desktop Services session
miscellaneous
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
00:00:328
miscellaneous interval elapses
00:00:328 Signal Objects ffffffff
Converted a string-format security descriptor into a valid, functional security

00:00:328 Others
descriptor
{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
00:00:391 Process Created
{FA445657-9379-11D6-B41A-00065B83EE53}
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Write
00:00:453 Files Created
Hidden
Process Operations,
00:00:453 Initialized COM library for the current thread and set it in the concurrency mode
miscellaneous
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-0040963251E5}
C:\nogwfjxpzm\~$5c81fc-0946-4a78-bb24-0c37f7a297f6.doc
Write
Hidden
{33C53A50-F456-4884-B049-85FD643ECFED}
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\7b5c81fc-0946-
00:01:500 Files Deleted
4a78-bb24-0c37f7a297f6.LNK
00:01:735 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\nogwfjxpzm.LNK
00:02:016 Others Retrieved information about a locale specified by a identifier
File Operations,
00:02:016 Obtained the current directory for the current process
miscellaneous
00:02:016 Others Obtained the system metric or system configuration setting
00:02:016 Registry Opened HKCR\Licenses
Process Operations,
00:02:016 Obtained the identifier of the thread or process that created the specified window
miscellaneous
File Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or
00:02:030
miscellaneous network drive
00:02:030 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKCU\Software\Microsoft\VBA\6.0\Common
BackGroundCompile
CompileOnDemand
BreakOnServerErrors
BreakOnAllErrors
Enumerated registry keys

RequireDeclaration
00:02:046 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common
00:02:046 Registry Opened HKCR\TypeLib
00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4
00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0
00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32
NotifyUserBeforeStateLoss
00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
00:02:062 Process Created C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE
File Operations,
00:02:062 Searched a directory for the name: Normal
miscellaneous
00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
00:02:062 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
00:02:062 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
00:02:578 Process Created C:\NOGWFJXPZM\EXCEL.EXE
00:03:046 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32
00:03:046 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
00:03:046 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
00:03:046 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
00:03:359 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0
00:03:359 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0
00:03:359 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32
00:03:359 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}
File Operations,
00:03:391 Retrieved the path of the directory designated for temporary files
miscellaneous
Directories C:\Users\ADMINI~1\AppData\Local\Temp\VBE
00:03:405
Created/Opened
00:03:405 Files Read Normal
65001f64
EndProcLine
IndicatorBar
TabWidth
00:04:110 Registry Read HKCU\Software\Microsoft\VBA\6.0\Common

FullModuleView
OBSearchHeight
SyntaxChecking
DragDropInEditor
AutoIndent
AutoQuickTips2
AutoStatement2
AutoValueTips2
CodeBackColors
OBGroupMembers
MdiMaximized
00:04:125 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common
IndicatorColors
FontHeight
FontFace
FontCharSet
00:04:125 Others Retrieved an integer from a key in a section of the Win.ini file
CodeForeColors
UpgradeVBX
AlignToGrid
ShowToolTips
ShowGrid
ReadOnlyMode
00:04:140 Registry Read HKCU\Software\Microsoft\VBA\6.0\Common

SaveBeforeRun
BackgroundProjectLoad
CollapseWindows
FolderView
GridHeight
GridWidth
Tool
UI
PropertiesWindow
00:04:203 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\Designers
00:04:203 Registry Opened HKCU\Software\Microsoft\VBA\VBE\6.0\Addins
00:04:203 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls
CtlsShowSelected
Dock
DsnShowSelected
MainWindow
Obtained the current system date and time in in Coordinated Universal Time (UTC)
00:04:235 Others
format
HKLM\Software\Microsoft\Windows\Help
VbLR6.chm
HKLM\Software\Microsoft\Windows\HTML Help
VbLR6.chm
00:04:281 Registry Opened HKLM\Software\Microsoft\Windows
00:04:281 Registry Opened HKLM\Software\Microsoft\Windows\HTML Help
00:04:281 Registry Opened HKLM\Software\Microsoft\Windows\Help
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
02:12:968 Others Recorded system information
Process Operations, Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the
02:12:985
miscellaneous dynamic-link library
HKCU\Software\Microsoft\Shared Tools\Proofing
02:13:000 Registry Created
Tools\Grammar\MSGrammar\3.0\1033
02:13:000 Registry Read Tools\Grammar\MSGrammar\3.0\1033
Options Version
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1
Tools\Grammar\MSGrammar\3.0\1033\Option Set 0
Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Data
02:13:000 Registry Modified
1010101
REG_BINARY
Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Name
Grammar & Style
REG_SZ
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Data
1010101
REG_BINARY
Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Name
Grammar Only
REG_SZ
Tools\Grammar\MSGrammar\3.0\1033\Options Version
1
REG_DWORD
C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX

Read
Normal
02:13:016 Memory Mapped Files Created a file that can be used for memory mapping
02:13:016 Registry Opened HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.Word\~WRS{25162D27-F411-449E-9F1D-FF884C228A84}.tmp
02:14:375 Files Deleted C:\nogwfjxpzm\~$5c81fc-0946-4a78-bb24-0c37f7a297f6.doc
02:14:453 Files Deleted C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow
02:14:500 Registry Modified 8 8 180 400 1
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow
02:14:531 Registry Modified 0 0 800 560 1
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized
02:14:531 Registry Modified 0
REG_SZ
02:14:531 Registry Modified HKCU\Software\Microsoft\VBA\6.0\Common\FolderView

1
REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Dock
02:14:531 Registry Modified 14C0002
REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected
REG_SZ
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip
Write
8100000
HKCU\Software\Microsoft\VBA\6.0\Common\UI
REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\Tool
REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected
REG_SZ
Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
02:14:563
02:14:625 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Files\Content.Word\~WRS{428F46C1-A8AC-497B-A911-5A1CCFE1CF8B}.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip
Write
8100000
Files\Content.Word\~WRF{27735B2C-E422-491D-8985-3FE59DB6D384}.tmp
02:14:828 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\CVRD793.tmp.cvr
02:14:828 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\55187.od
Engine Analysis
Engine Threat Name Severity
GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High
GTI URL Reputation
Gateway Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High
Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High
YARA
Custom Rules
Sandbox ⬤ 2 - Low
Final ⬤ 5 - Very High
Sample is malicious: final severity level 5
Embedded/Dropped content
MD5 Name Category
126AACB44244697509482C60C8556D40 7b5c81fc-0946-4a78-bb24-0c37f7a297f6.vba * ---
064BD124EF06273C4D85D239815667D4 VB12.pip * ---
89C7F2CFCDD6B65DDD60A95AE0B69540 Word12.pip * ---
* Attachments were extracted from the sample file and stored in the dropfiles.zip
Screenshots
Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample
Images: 17
2c78c.jpg
18c4d.jpg
25b35.jpg
2a2ce.jpg
2b77e.jpg
26fe6.jpg
f731.jpg
11623.jpg
29e0b.jpg
103b4.jpg
274a9.jpg
2cc3f.jpg
2b2cb.jpg
25fe9.jpg
e60a.jpg
2867c.jpg
28b2f.jpg
SPIDER.doc
Run-Time Dlls: 8
api-ms-win-appmodel-runtime-l1-1-0.dll
vbe6intl.dll
comctl32.dll
oleaut32.dll
shlwapi.dll
vbe6.dll
version.dll
wwlib.dll
File Operations: 36
Files Created
File Name Access Mode File Attributes
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip Write 8100000
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip Write 8100000
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Write Hidden
C:\nogwfjxpzm\~$5c81fc-0946-4a78-bb24-0c37f7a297f6.doc Write Hidden
Files Opened
File Name Access Mode File Attributes
C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX Read Normal
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config Read Normal
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000
C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

Files Deleted
C:\Users\ADMINI~1\AppData\Local\Temp\55187.od
C:\Users\ADMINI~1\AppData\Local\Temp\CVRD793.tmp.cvr
C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{27735B2C-E422-491D-8985-

3FE59DB6D384}.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25162D27-F411-449E-9F1D-

FF884C228A84}.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{428F46C1-A8AC-497B-A911-

5A1CCFE1CF8B}.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\7b5c81fc-0946-4a78-bb24-0c37f7a297f6.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\nogwfjxpzm.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
C:\nogwfjxpzm\~$5c81fc-0946-4a78-bb24-0c37f7a297f6.doc
Files Read
C:\Windows\Microsoft.NET\Framework\
C:\Windows\Microsoft.NET\Framework\v2.0.50727
Normal
Directories Created/Opened
New Directory Template Directory
C:\Users\ADMINI~1\AppData\Local\Temp\VBE
Memory Mapped Files
Created a file that can be used for memory mapping
Other
Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive
Obtained a set of FAT file system attributes for a file or directory
Obtained the current directory for the current process
Obtained the path of the Windows system directory
Retrieved the full path for the module
Retrieved the path of the directory designated for temporary files
Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
Searched a directory for the name: Normal
Registry Operations: 108
Registry Created
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 0
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 1
Registry Opened
HKCR\Licenses
HKCR\TypeLib
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409
HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0
HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0
HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32
HKCU\Software\Microsoft\.NETFramework
HKCU\Software\Microsoft\VBA\6.0\Common\Designers
HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls
HKCU\Software\Microsoft\VBA\VBE\6.0\Addins
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\VBA\Monitors
HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades
HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0
HKLM\Software\Microsoft\Windows
HKLM\Software\Microsoft\Windows\HTML Help
HKLM\Software\Microsoft\Windows\Help
Registry Modified
Key NewValue Type
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option

1010101 REG_BINARY
Set 0\Data
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Grammar &

REG_SZ
Set 0\Name Style

1010101 REG_BINARY
Set 1\Data

Grammar Only REG_SZ
Set 1\Name
HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Options

1 REG_DWORD
Version
HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Dock 14C0002 REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\FolderView 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow 0 0 800 560 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized 0 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow 8 8 180 400 1 REG_SZ
HKCU\Software\Microsoft\VBA\6.0\Common\Tool 0 REG_BINARY
HKCU\Software\Microsoft\VBA\6.0\Common\UI 68 REG_BINARY
Registry Read
Enumerated registry keys
Options Version
Tools\Grammar\MSGrammar\3.0\1033
HKCU\Software\Microsoft\VBA\6.0\Common AlignToGrid
HKCU\Software\Microsoft\VBA\6.0\Common AutoIndent
HKCU\Software\Microsoft\VBA\6.0\Common AutoQuickTips2
HKCU\Software\Microsoft\VBA\6.0\Common AutoStatement2
HKCU\Software\Microsoft\VBA\6.0\Common AutoValueTips2
HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile
HKCU\Software\Microsoft\VBA\6.0\Common BackgroundProjectLoad
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors
HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors
HKCU\Software\Microsoft\VBA\6.0\Common CodeBackColors
HKCU\Software\Microsoft\VBA\6.0\Common CodeForeColors
HKCU\Software\Microsoft\VBA\6.0\Common CollapseWindows
HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand
HKCU\Software\Microsoft\VBA\6.0\Common CtlsShowSelected
HKCU\Software\Microsoft\VBA\6.0\Common Dock
HKCU\Software\Microsoft\VBA\6.0\Common DragDropInEditor
HKCU\Software\Microsoft\VBA\6.0\Common DsnShowSelected
HKCU\Software\Microsoft\VBA\6.0\Common EndProcLine
HKCU\Software\Microsoft\VBA\6.0\Common FolderView
HKCU\Software\Microsoft\VBA\6.0\Common FontCharSet
HKCU\Software\Microsoft\VBA\6.0\Common FontFace
HKCU\Software\Microsoft\VBA\6.0\Common FontHeight
HKCU\Software\Microsoft\VBA\6.0\Common FullModuleView
HKCU\Software\Microsoft\VBA\6.0\Common GridHeight
HKCU\Software\Microsoft\VBA\6.0\Common GridWidth
HKCU\Software\Microsoft\VBA\6.0\Common IndicatorBar
HKCU\Software\Microsoft\VBA\6.0\Common IndicatorColors
HKCU\Software\Microsoft\VBA\6.0\Common MainWindow
HKCU\Software\Microsoft\VBA\6.0\Common MdiMaximized
HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss
HKCU\Software\Microsoft\VBA\6.0\Common OBGroupMembers
HKCU\Software\Microsoft\VBA\6.0\Common OBSearchHeight
HKCU\Software\Microsoft\VBA\6.0\Common PropertiesWindow
HKCU\Software\Microsoft\VBA\6.0\Common ReadOnlyMode
HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration
HKCU\Software\Microsoft\VBA\6.0\Common SaveBeforeRun
HKCU\Software\Microsoft\VBA\6.0\Common ShowGrid
HKCU\Software\Microsoft\VBA\6.0\Common ShowToolTips
HKCU\Software\Microsoft\VBA\6.0\Common SyntaxChecking
HKCU\Software\Microsoft\VBA\6.0\Common TabWidth
HKCU\Software\Microsoft\VBA\6.0\Common Tool
HKCU\Software\Microsoft\VBA\6.0\Common UI
HKCU\Software\Microsoft\VBA\6.0\Common UpgradeVBX
HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks
HKLM\Software\Microsoft\.NETFramework InstallRoot
HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR
HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\Windows\HTML Help VbLR6.chm
HKLM\Software\Microsoft\Windows\Help VbLR6.chm
Other
Enumerated the values for an open registry key
Process Operations: 21
Process Created
Process Name Module
C:\NOGWFJXPZM\EXCEL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE

c:\windows\splwow64.exe c:\windows\splwow64.exe 12288
{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
{33C53A50-F456-4884-B049-85FD643ECFED}
{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
{88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
{88D969EF-F192-11D4-A65F-0040963251E5}
{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
{FA445657-9379-11D6-B41A-00065B83EE53}
Thread Created
65001f64
Other
Changed the protection attribute of process address: 0x2fc21634, new attribute: Execute_Read
Changed the protection attribute of process address: 0x2fc21634, new attribute: Execute_ReadWrite
Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the dynamic-link library
Initialized COM library for the current thread and set it in the concurrency mode
Obtained the contents of the specified variable from the environment block of the calling process
Obtained the identifier of the thread or process that created the specified window
Retrieved information on a specific string in the current activation context
Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses
Other Operations: 7
Others
Initialized a critical section object and set the spin count for the critical section
Obtained the current system date and time in in Coordinated Universal Time (UTC) format
Obtained the system metric or system configuration setting
Recorded system information
Retrieved an integer from a key in a section of the Win.ini file
Retrieved information about a locale specified by a identifier
Retrieved the current local date and time
McAfee Active Response
Status: Product is not Available
© 2020 McAfee, LLC. All rights reserved.

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Analysis Report: Hash Values File Details Environment

Uploaded by

Copyright:

Available Formats

McAfee Advanced Threat Defense

| Threat Analysis Report

File Name SPIDER.doc Threat Level ⬤ 5 - Very High

Malware Name TYPE_TROJAN Engine GTI File Reputation

File Submitted 2021-04-13 03:59:50 UTC Processing Time 155 seconds

File Size 51,712 bytes Sandbox Replication 147 seconds

Show More Hash Values File Details Environment

MD5 Hash Identifier 5B24E7C884880A7ABDD53975AF2E565E

SHA-1 Hash Identifier 62295E55C573B30847235B69837153CB109B267E

Hide hash values

Hide file details

Windows® Internet Explorer version: 8.0.7601.17514

Microsoft Office version: 2007

PDF Reader version: 11.0

No Flash player installed

Flash player plugin version: 22.0.0.209

Platform Version 4.12.0.7

Detection Package Version 4.12.0.201112

Exploiting, Shellcode ⬤ 2 - Low

Detected scripting content embedded in the sample ⬤ 2 - Low

Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 1 - Informational

Retrieved system information such as Processor Architecture,Number ⬤ 1-

Persistence, Installation Boot Survival ⬤ 1 - Informational

Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 1 - Informational

Name Reason Severity

SPIDER.doc loaded by MATD Analyzer & dropped by SPIDER.doc ⬤ 2 - Low

splwow64.exe executed by winword ⬤ Unverified

Processes Files Registry Operations Network Operations Multiple Operations

Select Any Area to Zoom In

0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108 114 120 126 132

Jump to Timeline Details

Timeline Activity Details

Time Offset Event Details

00:00:156 Registry Opened HKLM\Software\Microsoft\.NETFramework

00:00:156 Files Read C:\Windows\Microsoft.NET\Framework\

00:00:156 Registry Opened HKCU\Software\Microsoft\.NETFramework

00:00:172 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

00:00:172 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion

00:00:172 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

Registry Operations, Enumerated the values for an open registry key

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config

00:00:235 Others Retrieved the current local date and time

00:00:328 Registry Opened HKLM\System\CurrentControlSet\Control\Print

00:00:328 Others Obtained information about an access token

00:00:328 Signal Objects ffffffff

Converted a string-format security descriptor into a valid, functional security

00:01:735 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\nogwfjxpzm.LNK

00:02:016 Others Retrieved information about a locale specified by a identifier

00:02:016 Others Obtained the system metric or system configuration setting

00:02:016 Registry Opened HKCR\Licenses

00:02:030 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors

Enumerated registry keys

00:02:046 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common

00:02:046 Registry Opened HKCR\TypeLib

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409

00:02:046 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9

00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}

00:02:062 Process Created C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE

00:02:062 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4