Overview

overview

10

Static

static

require 12.20.doc

windows7_x64

10

require 12.20.doc

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-12-2020 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    require 12.20.doc

  • Size

    94KB

  • MD5

    b3218a9b099653d0ebc1db27aa505fc5

  • SHA1

    74a58b762eb0dd09e0b0cd310a21e05406b1e731

  • SHA256

    999e7814917b82aa383ba96826af8ea3dca9d9e5fb67c04cc042b1ebf060e83f

  • SHA512

    af650b58058375418e8f8cf97617c341c119bdf440a76881fa3720303f9fd820b96987de0f48e654544a95aea0ac86a63fa4587d9e2f60e069e945a6757cc8da

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require 12.20.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta"
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" c:\programdata\aMvl4.pdf,ShowDialogA -r
          4⤵
            PID:1632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1304

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\users\public\index.hta
        MD5

        478ad2476fae05ae109845bc5e8165f8

        SHA1

        83cdd78c74c5548775c16e187258eccf037ae58e

        SHA256

        95129bba2c036259fa080060421a1379bbb234cb7161004f27276e861236ddfc

        SHA512

        05207941b294f08bb295c26e22e8535571967e17d89e3bc6b27d53ddc20cfcb683168ce0a9372f79815e419b83d657aa1112cadd2025b53dae5326de593324f4

        Download Submit
      • \??\c:\programdata\aMvl4.pdf
        MD5

        d7f2a2c51e0899e2279e37bb85869c96

        SHA1

        1e370850d9c3dd2c4c69c3b3328a69cded4cc1d4

        SHA256

        19553aca4c518ed878c126c1f1e513e74e4b150774ce69c63b3e9e2fd52adc52

        SHA512

        ff42b1e977ad03a5290962fb7867a5104ad033e21737f16b1f866aba61af08f93b7f8d78e3d5807510be946536c3f4464bf1debd6264412185925eeb465f3d9f

        Download Submit
      • memory/932-2-0x000000000034E000-0x0000000000357000-memory.dmp
        Filesize

        36KB

        Download
      • memory/932-3-0x0000000000378000-0x000000000037B000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1136-8-0x000007FEF6400000-0x000007FEF667A000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1304-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1632-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1796-6-0x0000000000000000-mapping.dmp
        Download
      • memory/1796-11-0x0000000005FB0000-0x0000000005FD3000-memory.dmp
        Filesize

        140KB

        Download
      • memory/1964-4-0x0000000000000000-mapping.dmp
        Download