Overview

overview

10

Static

static

8

Request fo...Q).ppt

windows7_x64

10

Request fo...Q).ppt

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-03-2021 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for Quotation via ShipServ 7465649870 RFQ).ppt

  • Size

    66KB

  • MD5

    e4405847f94ce7a7ff1cf42754030467

  • SHA1

    3c183881bab3a09576a24da6c6aceaf106e97f1b

  • SHA256

    bc692c42c9c300e9ea559d6cdd74239d85339b60918b1c712db7078c1298421a

  • SHA512

    cf8f7b945ae3df26e929cb28c1eeb0e3dd27620dd92c4c8749e2d18a226bcda6540ce36fcedd02c4f0d0333e5129b66d12e86b8a8d7298662d6b2dc3c027c6b9

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation via ShipServ 7465649870 RFQ).ppt"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1988
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:584
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1416
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1508
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1808
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1796
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1748
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1700
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1424
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:240
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:384
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1836
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1880
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1480
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:600
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1400
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:108

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/108-22-0x0000000000000000-mapping.dmp
      Download
    • memory/240-15-0x0000000000000000-mapping.dmp
      Download
    • memory/384-16-0x0000000000000000-mapping.dmp
      Download
    • memory/584-7-0x0000000000000000-mapping.dmp
      Download
    • memory/600-20-0x0000000000000000-mapping.dmp
      Download
    • memory/1400-21-0x0000000000000000-mapping.dmp
      Download
    • memory/1416-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1424-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1480-19-0x0000000000000000-mapping.dmp
      Download
    • memory/1508-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1700-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1748-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1812-2-0x0000000073BA1000-0x0000000073BA5000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1812-3-0x0000000071241000-0x0000000071243000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1836-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1880-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1988-6-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1988-5-0x0000000000000000-mapping.dmp
      Download