Overview

overview

8

Static

static

8

HRCComplai...7).doc

windows7_x64

1

HRCComplai...7).doc

windows10_x64

4

Resubmissions

07-09-2020 14:49

200907-6g4j1lsg4a 8

07-09-2020 14:46

200907-621166mbea 8

07-09-2020 14:43

200907-arlway4y22 8

07-09-2020 14:40

200907-2gfycfzzsn 8

07-09-2020 14:37

200907-48ed1pf1qa 8

07-09-2020 14:30

200907-nrhrd8w9xa 8

07-09-2020 14:27

200907-7xkbfnkxne 8

07-09-2020 13:24

200907-hmxpvsyqqx 8

07-09-2020 13:22

200907-y2l4q28146 8

07-09-2020 13:19

200907-snqv561r56 8

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07-09-2020 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HRCComplaintProcedureForm (7).doc

  • Size

    80KB

  • MD5

    a411bb05ee4192202c88efdbd54552db

  • SHA1

    6b0acf8175d39a1008bf9fb0d3c45bb63a3361e9

  • SHA256

    33a24ad4b225880bee5c9d40527022ea020daf2f6d7643269f4f739b3271f5de

  • SHA512

    6e424b2c2a7881d4969ddfaef595822f3d987e8fc49f578118c6d4ba25461ef53613405394f4ac366606ecfda08ede4d22f436f182aaee82ba9b5f7962cce6f4

Score
1/10

Malware Config

Signatures

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\HRCComplaintProcedureForm (7).doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:788
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1972
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\DisconnectFind\" -ad -an -ai#7zMap4898:90:7zEvent30410
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\vcredist2010_x64.log.html
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1508
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\BlockWatch\" -ad -an -ai#7zMap16830:82:7zEvent30369
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1952
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1916
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets"
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JACOLRK2.txt
      Download Submit
    • memory/1348-0-0x000007FEF50D0000-0x000007FEF534A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1508-1-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-6-0x0000000000000000-mapping.dmp
      Download