Analysis
-
max time kernel
122s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 06:50
General
-
Target
ORDINE 2021004.doc
-
Size
196KB
-
MD5
797f651c45b0b81311e0e23844a448e2
-
SHA1
2bfaa69508304632718274c6a648cf28f0199bd3
-
SHA256
3fcb2dde6e1867fdbb5b6d5d9ed05a486b69855df4438dce4f4313f454effaf2
-
SHA512
61873f8c6e9fe9a67667fef1f57d60a25a5cae7f7df372a2f099849f764bc55361909c52f2cb62de9776350f7566b13f661d80cf350eb71b751bdefa4c815e68
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDINE 2021004.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\restnatural.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\attacksix.exe2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\restnatural.vbs"2⤵
- Blocklisted process makes network request
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\attacksix.exeMD5
62962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
C:\Users\Admin\AppData\Local\Temp\restnatural.vbsMD5
d4926c9d3b391f4dddb6afbda8e36c0c
SHA1028b9ff60116aff36689ecc486b3748a19cb57fe
SHA256f2a1ece0b0e07f25d1800b0d02ebc8d642cd81c890f682e7ea6babff29004224
SHA5125daf4184ebf19cc844602ddbce92e638fb2b66b192e08abcc30e0572fb3c51be411dea5e21b115678d978294be0710f50ee5b56c63b7b96ce4cc30a8a53aa6bb
-
memory/316-5-0x0000000000000000-mapping.dmp
-
memory/316-6-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/316-7-0x000000006B701000-0x000000006B703000-memory.dmpFilesize
8KB
-
memory/1548-15-0x000000006B591000-0x000000006B593000-memory.dmpFilesize
8KB
-
memory/1548-13-0x0000000000000000-mapping.dmp
-
memory/1600-11-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1740-2-0x00000000728E1000-0x00000000728E4000-memory.dmpFilesize
12KB
-
memory/1740-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1740-3-0x0000000070361000-0x0000000070363000-memory.dmpFilesize
8KB
-
memory/1768-10-0x0000000000000000-mapping.dmp
-
memory/1768-12-0x0000000002510000-0x0000000002514000-memory.dmpFilesize
16KB
-
memory/1812-8-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmpFilesize
8KB
-
memory/1900-18-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB