Resubmissions
07-09-2020 14:49
200907-6g4j1lsg4a 807-09-2020 14:46
200907-621166mbea 807-09-2020 14:43
200907-arlway4y22 807-09-2020 14:40
200907-2gfycfzzsn 807-09-2020 14:37
200907-48ed1pf1qa 807-09-2020 14:30
200907-nrhrd8w9xa 807-09-2020 14:27
200907-7xkbfnkxne 807-09-2020 13:24
200907-hmxpvsyqqx 807-09-2020 13:22
200907-y2l4q28146 807-09-2020 13:19
200907-snqv561r56 8Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
07-09-2020 13:11
General
-
Target
HRCComplaintProcedureForm (7).doc
-
Size
80KB
-
MD5
a411bb05ee4192202c88efdbd54552db
-
SHA1
6b0acf8175d39a1008bf9fb0d3c45bb63a3361e9
-
SHA256
33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de
-
SHA512
6e424b2c2a7881d4969ddfaef595822f3d987e8fc49f578118c6d4ba25461ef53613405394f4ac366606ecfda08ede4d22f436f182aaee82ba9b5f7962cce6f4
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 32 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
JavaScript code in executable 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 285 IoCs
-
Drops file in Program Files directory 275 IoCs
-
Drops file in Windows directory 53 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 150 IoCs
-
Modifies registry class 659 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 725 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\HRCComplaintProcedureForm (7).doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Office14\SELFCERT.EXE"C:\Program Files\Microsoft Office\Office14\SELFCERT.EXE"1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies service
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C156A40354461BD0990E5E5FEDF19FF82⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 57D0DF2783ADC481B62429DCA585DF0F M Global\MSI00002⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=53⤵
- Executes dropped EXE
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Z "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A398FC38C0DBEA1942D0ECE7E1F3DCAA2⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "0000000000000540" "00000000000003DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL1⤵
- Loads dropped DLL
- Modifies service
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot13" "" "" "66d15495b" "0000000000000000" "0000000000000540" "0000000000000588"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\37371AF57575D4FC7CE445937224B2BDB6F80AEE
-
C:\Windows\Installer\MSI1075.tmp
-
C:\Windows\Installer\MSI1D04.tmp
-
C:\Windows\Installer\MSI2983.tmp
-
C:\Windows\Installer\MSI29B3.tmp
-
C:\Windows\Installer\MSI29D3.tmp
-
C:\Windows\Installer\MSI29F3.tmp
-
C:\Windows\Installer\MSI2ABF.tmp
-
C:\Windows\Installer\MSI2ADF.tmp
-
C:\Windows\Installer\MSI2E1C.tmp
-
C:\Windows\Installer\MSI2E2.tmp
-
C:\Windows\Installer\MSI2E3C.tmp
-
C:\Windows\Installer\MSI3CD.tmp
-
C:\Windows\Installer\MSI3FD.tmp
-
C:\Windows\Installer\MSI4C9.tmp
-
C:\Windows\Installer\MSI585.tmp
-
C:\Windows\Installer\MSI7C7C.tmp
-
C:\Windows\Installer\MSI8015.tmp
-
C:\Windows\Installer\MSI874.tmp
-
C:\Windows\Installer\MSIA98.tmp
-
C:\Windows\Installer\MSIB06.tmp
-
C:\Windows\Installer\MSIE13.tmp
-
C:\Windows\Installer\MSIF73A.tmp
-
C:\Windows\Installer\MSIF8A.tmp
-
C:\Windows\Installer\MSIFAD4.tmp
-
C:\Windows\Installer\MSIFBDE.tmp
-
C:\Windows\Installer\MSIFD55.tmp
-
\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll
-
\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll
-
\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api
-
\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
-
\Users\Admin\AppData\Local\Temp\Setup00000444\OSETUP.DLL
-
\Users\Admin\AppData\Local\Temp\Setup00000444\OSETUPUI.DLL
-
\Windows\Installer\MSI1075.tmp
-
\Windows\Installer\MSI1D04.tmp
-
\Windows\Installer\MSI2983.tmp
-
\Windows\Installer\MSI29B3.tmp
-
\Windows\Installer\MSI29D3.tmp
-
\Windows\Installer\MSI29F3.tmp
-
\Windows\Installer\MSI2ABF.tmp
-
\Windows\Installer\MSI2ADF.tmp
-
\Windows\Installer\MSI2E1C.tmp
-
\Windows\Installer\MSI2E2.tmp
-
\Windows\Installer\MSI2E3C.tmp
-
\Windows\Installer\MSI3CD.tmp
-
\Windows\Installer\MSI3FD.tmp
-
\Windows\Installer\MSI4C9.tmp
-
\Windows\Installer\MSI585.tmp
-
\Windows\Installer\MSI7C7C.tmp
-
\Windows\Installer\MSI8015.tmp
-
\Windows\Installer\MSI874.tmp
-
\Windows\Installer\MSIA98.tmp
-
\Windows\Installer\MSIB06.tmp
-
\Windows\Installer\MSIE13.tmp
-
\Windows\Installer\MSIF73A.tmp
-
\Windows\Installer\MSIF8A.tmp
-
\Windows\Installer\MSIFAD4.tmp
-
\Windows\Installer\MSIFBDE.tmp
-
\Windows\Installer\MSIFD55.tmp
-
memory/736-7-0x0000000000000000-mapping.dmp
-
memory/820-50-0x0000000000000000-mapping.dmp
-
memory/896-32-0x0000000000000000-mapping.dmp
-
memory/1092-91-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/1092-95-0x0000000009890000-0x0000000009894000-memory.dmpFilesize
16KB
-
memory/1092-94-0x000000000A890000-0x000000000A894000-memory.dmpFilesize
16KB
-
memory/1092-87-0x0000000001D10000-0x0000000001D11000-memory.dmpFilesize
4KB
-
memory/1092-92-0x00000000039C0000-0x00000000039C2000-memory.dmpFilesize
8KB
-
memory/1108-40-0x0000000000000000-mapping.dmp
-
memory/1176-98-0x0000000000000000-mapping.dmp
-
memory/1408-2-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/1556-84-0x00000000047A0000-0x00000000047A4000-memory.dmpFilesize
16KB
-
memory/1556-4-0x0000000001010000-0x0000000001012000-memory.dmpFilesize
8KB
-
memory/1556-56-0x00000000018A0000-0x00000000018A4000-memory.dmpFilesize
16KB
-
memory/1556-46-0x00000000047A0000-0x00000000047A4000-memory.dmpFilesize
16KB
-
memory/1556-76-0x00000000047A0000-0x00000000047A4000-memory.dmpFilesize
16KB
-
memory/1556-28-0x00000000011B0000-0x00000000011B2000-memory.dmpFilesize
8KB
-
memory/1556-27-0x00000000018A0000-0x00000000018A4000-memory.dmpFilesize
16KB
-
memory/1556-55-0x00000000018A0000-0x00000000018A4000-memory.dmpFilesize
16KB
-
memory/1556-54-0x0000000002660000-0x0000000002680000-memory.dmpFilesize
128KB
-
memory/1556-26-0x0000000001A10000-0x0000000001A14000-memory.dmpFilesize
16KB
-
memory/1556-105-0x0000000001370000-0x0000000001374000-memory.dmpFilesize
16KB
-
memory/1556-103-0x0000000002420000-0x0000000002424000-memory.dmpFilesize
16KB
-
memory/1556-104-0x0000000001370000-0x0000000001374000-memory.dmpFilesize
16KB
-
memory/2036-0-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB