Overview

overview

10

Static

static

Liste397__...a.docx

windows7_x64

10

Liste397__...a.docx

windows10_x64

1

Resubmissions

14-01-2021 11:22

210114-xyzq9ek6j2 10

14-01-2021 08:38

210114-bly72wl4k6 4

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Liste397__12.01.2021_Carsamba.docx

  • Size

    208KB

  • MD5

    dc41aa50be50697423ef1d266b9b1050

  • SHA1

    6c90e082b24ceddbc02176be64a2f914e813ab48

  • SHA256

    69275397c8f8bdc2b2f24c960375d9301a472a70b5f48f3ef4d72e2958e05a87

  • SHA512

    a3f22a198cbca0dfddbebeb97a5eb32a2e327ed3d072b2fcb6f37ff44c863e93e47ee1fd436ca1f48109d52495fe1864f258b0622bbac7e5dc6a59d36e5d3a99

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Liste397__12.01.2021_Carsamba.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:556
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jar"
        2⤵
        • Process spawned unexpected child process
        PID:1168
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jar"
        2⤵
        • Process spawned unexpected child process
        PID:580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jar
      MD5

      dcf08a33649ed492419e3a8c04d2e2b7

      SHA1

      6139647ba17b0e21d104bfcc80c80cd7a85c6ebf

      SHA256

      c0edc402d5487ffc46211b84863de5948e7a412f89cd923cf676e6b1bad3a868

      SHA512

      d73ef2ce89231fd3d80b785e510ae92714a4c303e47daba85617fd7aa4062e9dcfa35b1092702a7a2ba5ab971b83554bf1b8ffd67880ec79b6b25ad338181daf

      Download Submit
    • memory/556-2-0x0000000000000000-mapping.dmp
      Download
    • memory/580-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1168-3-0x0000000000000000-mapping.dmp
      Download