Overview

overview

10

Static

static

intelligen...20.doc

windows7_x64

10

intelligen...20.doc

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-12-2020 15:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    intelligence 12.15.20.doc

  • Size

    94KB

  • MD5

    cae7a9d8c05bb9e0f6210680d01ace3b

  • SHA1

    89bf3e579265b7b743f123b51f0995d482ad7587

  • SHA256

    a693c322ccdfcae8ca552dcb1179e483b72719c1f3586acb8c09949c1b71c0df

  • SHA512

    f2072b4c22894f83266f0854941cc9d5af2f3f92f8ef003bc49316567ebbe6dbb2052e95cb5367694faffdf0eac9a337e0214ef1b0e3483f63cd72e3c67787b3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence 12.15.20.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:324
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" c:\programdata\aMvl4.pdf,ShowDialogA -r
          4⤵
            PID:1844
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:328

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\users\public\index.hta
        MD5

        478ad2476fae05ae109845bc5e8165f8

        SHA1

        83cdd78c74c5548775c16e187258eccf037ae58e

        SHA256

        95129bba2c036259fa080060421a1379bbb234cb7161004f27276e861236ddfc

        SHA512

        05207941b294f08bb295c26e22e8535571967e17d89e3bc6b27d53ddc20cfcb683168ce0a9372f79815e419b83d657aa1112cadd2025b53dae5326de593324f4

        Download Submit
      • \??\c:\programdata\aMvl4.pdf
        MD5

        d7f2a2c51e0899e2279e37bb85869c96

        SHA1

        1e370850d9c3dd2c4c69c3b3328a69cded4cc1d4

        SHA256

        19553aca4c518ed878c126c1f1e513e74e4b150774ce69c63b3e9e2fd52adc52

        SHA512

        ff42b1e977ad03a5290962fb7867a5104ad033e21737f16b1f866aba61af08f93b7f8d78e3d5807510be946536c3f4464bf1debd6264412185925eeb465f3d9f

        Download Submit
      • memory/324-6-0x0000000000000000-mapping.dmp
        Download
      • memory/324-11-0x0000000006B90000-0x0000000006BB3000-memory.dmp
        Filesize

        140KB

        Download
      • memory/328-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-4-0x0000000000000000-mapping.dmp
        Download
      • memory/1656-8-0x000007FEF7020000-0x000007FEF729A000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1844-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1992-2-0x0000000000534000-0x0000000000537000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1992-3-0x00000000004FA000-0x0000000000505000-memory.dmp
        Filesize

        44KB

        Download