Resubmissions
07-09-2020 14:49
200907-6g4j1lsg4a 807-09-2020 14:46
200907-621166mbea 807-09-2020 14:43
200907-arlway4y22 807-09-2020 14:40
200907-2gfycfzzsn 807-09-2020 14:37
200907-48ed1pf1qa 807-09-2020 14:30
200907-nrhrd8w9xa 807-09-2020 14:27
200907-7xkbfnkxne 807-09-2020 13:24
200907-hmxpvsyqqx 807-09-2020 13:22
200907-y2l4q28146 807-09-2020 13:19
200907-snqv561r56 8Analysis
-
max time kernel
123s -
max time network
104s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
07-09-2020 14:27
Static task
static1
Behavioral task
behavioral1
Sample
HRCComplaintProcedureForm (7).doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
HRCComplaintProcedureForm (7).doc
Resource
win10
General
-
Target
HRCComplaintProcedureForm (7).doc
-
Size
80KB
-
MD5
a411bb05ee4192202c88efdbd54552db
-
SHA1
6b0acf8175d39a1008bf9fb0d3c45bb63a3361e9
-
SHA256
33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de
-
SHA512
6e424b2c2a7881d4969ddfaef595822f3d987e8fc49f578118c6d4ba25461ef53613405394f4ac366606ecfda08ede4d22f436f182aaee82ba9b5f7962cce6f4
Malware Config
Signatures
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Office loads VBA resources, possible macro or embedded object present
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeNETSTAT.EXEpid process 2040 ipconfig.exe 1312 NETSTAT.EXE -
Processes:
helppane.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Internet Explorer\Main helppane.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1440 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
AUDIODG.EXEhelppane.exeNETSTAT.EXEdescription pid process Token: 33 552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 552 AUDIODG.EXE Token: 33 552 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 552 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 1920 helppane.exe Token: SeTakeOwnershipPrivilege 1920 helppane.exe Token: SeTakeOwnershipPrivilege 1920 helppane.exe Token: SeTakeOwnershipPrivilege 1920 helppane.exe Token: SeDebugPrivilege 1312 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
helppane.exepid process 1920 helppane.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
WINWORD.EXEhelppane.exepid process 1440 WINWORD.EXE 1440 WINWORD.EXE 1920 helppane.exe 1920 helppane.exe 1440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exedescription pid process target process PID 868 wrote to memory of 2040 868 cmd.exe ipconfig.exe PID 868 wrote to memory of 2040 868 cmd.exe ipconfig.exe PID 868 wrote to memory of 2040 868 cmd.exe ipconfig.exe PID 868 wrote to memory of 1312 868 cmd.exe NETSTAT.EXE PID 868 wrote to memory of 1312 868 cmd.exe NETSTAT.EXE PID 868 wrote to memory of 1312 868 cmd.exe NETSTAT.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\HRCComplaintProcedureForm (7).doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Modifies service
- Gathers network information
-
C:\Windows\system32\NETSTAT.EXENetstat -a -n -o2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken