Overview

overview

10

Static

static

8

Request fo...Q).ppt

windows7_x64

10

Request fo...Q).ppt

windows10_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-03-2021 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for Quotation via ShipServ 7465649870 RFQ).ppt

  • Size

    66KB

  • MD5

    e4405847f94ce7a7ff1cf42754030467

  • SHA1

    3c183881bab3a09576a24da6c6aceaf106e97f1b

  • SHA256

    bc692c42c9c300e9ea559d6cdd74239d85339b60918b1c712db7078c1298421a

  • SHA512

    cf8f7b945ae3df26e929cb28c1eeb0e3dd27620dd92c4c8749e2d18a226bcda6540ce36fcedd02c4f0d0333e5129b66d12e86b8a8d7298662d6b2dc3c027c6b9

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 16 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 16 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation via ShipServ 7465649870 RFQ).ppt"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1956
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1652
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1020
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1052
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:268
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:912
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:648
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:768
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:660
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1356
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1068
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1688
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1788
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:620
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:548
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:1440
      • C:\Windows\SysWOW64\ping.exe
        ping 127.0.0.1
        2⤵
        • Process spawned unexpected child process
        • Runs ping.exe
        PID:2092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/268-10-0x0000000000000000-mapping.dmp
      Download
    • memory/548-20-0x0000000000000000-mapping.dmp
      Download
    • memory/620-19-0x0000000000000000-mapping.dmp
      Download
    • memory/648-12-0x0000000000000000-mapping.dmp
      Download
    • memory/660-14-0x0000000000000000-mapping.dmp
      Download
    • memory/768-13-0x0000000000000000-mapping.dmp
      Download
    • memory/912-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1020-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1052-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1068-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1440-21-0x0000000000000000-mapping.dmp
      Download
    • memory/1640-2-0x0000000074491000-0x0000000074495000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1640-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1640-3-0x0000000071521000-0x0000000071523000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1652-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1688-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-6-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1956-5-0x0000000000000000-mapping.dmp
      Download
    • memory/2092-22-0x0000000000000000-mapping.dmp
      Download