Overview

overview

8

Static

static

8

final.doc

windows7_x64

5

final.doc

windows10_x64

4

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-03-2021 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    final.doc

  • Size

    511KB

  • MD5

    dddd3ed6562a39e64566934015087764

  • SHA1

    3a0e2b8630c341e3cd5496bc3fdcc51acf94d908

  • SHA256

    bf45d80a601a95a81e1e03d7140251fb0c2d377048099a79af8a189e5fd8f62b

  • SHA512

    0db56a41c57ca09f1ae91787d85b804cc6143d9423e2f7aa9dcfde24e4aca1c4c17ea26ffa6b083080d0c63ae7dcb869b3ff9dc1e939dc748dd7345eb769c805

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\final.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1512
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {DD5E750E-E72A-4E18-98AD-A74D64585B15} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\system32\wscript.exe
        wscript.exe "C:\Users\Public\Documents\Microsoft Documents\g_m.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -file "C:\Users\Public\Documents\Microsoft Documents\g_c.ps1"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1620
      • C:\Windows\system32\wscript.exe
        wscript.exe "C:\Users\Public\Documents\Microsoft Documents\v.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -file "C:\Users\Public\Documents\Microsoft Documents\g.ps1"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      5955e39b07abba149bcd703296576b68

      SHA1

      2d717d4f901bc080835daef60de5513950a049f5

      SHA256

      a58c2f384361b49523c0cc4c2195c3d012b625dfd264094ddc2227292179579c

      SHA512

      d0469ef83b4abb0aa2262556f145ba9549f904bee45ad6723226cd5b5491d6e2e44a4793a4b009b5319be8c45a365a0a927e12f6a5b1fde755074b10cd770fce

      Download Submit
    • C:\Users\Public\Documents\Microsoft Documents\g.ps1
      MD5

      256076811f294eb6143a20abb5cfe257

      SHA1

      a477baa81b14915f137471e19cae9dc2bc85ed75

      SHA256

      eda27c5a5e34e2f03bfff967c5214d1077a93f6b25d1f0dcf7d7e8b86c3fab59

      SHA512

      815fa871adb2888c77e94a9ec7797275b67147725808be223a9498d922f4e7aa04a719d95cc0ae9095b52eb89e5ff2332ca975cfd2468b50f061613036cd865d

      Download Submit
    • C:\Users\Public\Documents\Microsoft Documents\g_c.ps1
      MD5

      e9c0df0d3cdc933110d9251782952d4c

      SHA1

      fabc23132c481fb7bbfbaa3afd683bcfcbb2bcbf

      SHA256

      5d459a7fb9a94508572dfa3f9332ca2737a36a57574934b90f1df15205be383d

      SHA512

      228e183aba8fbbc627c25d76546e9968c5363897c4786bf5497ab1b319c775711f1aa2fcaedb7963247128cc79027420a82e74dccfb3aac2264339c438f9e5f2

      Download Submit
    • C:\Users\Public\Documents\Microsoft Documents\g_m.vbs
      MD5

      a1f7fa7403f30c78b5bcfa8cef5fdfd4

      SHA1

      539ca077fd018832f2ecc21eb7cc1cc88e458f3e

      SHA256

      c03777d61e27132eebfa1de845cf1f443e356f2bfb26a9ddd504d9b90a5e5de6

      SHA512

      91ccae52e209382bafd018f3eb3d907b5196468206deb0512335e3d0d7f230e9a06bccc7922cb0b108f5cd6c693cf822cf0f77459814659c90dd0c6e48cfe180

      Download Submit
    • C:\Users\Public\Documents\Microsoft Documents\v.vbs
      MD5

      f830a9510d9f4e7854f89d6f666d5436

      SHA1

      7249ccc7236045afded388d9ac2cd87787aa5194

      SHA256

      2a906fd8de71d6fd9932d8ea6d6606305df618f01b7de58ed8d603420b815be1

      SHA512

      a2bd30e031c8c33b53995ec03f60a8b589bc15323f7dea07a2c0db5f6f5a7ad90e14b3721ffe501942b3c32c457697fd7aaf004a3402708354281c82222e796b

      Download Submit
    • memory/752-9-0x0000000000000000-mapping.dmp
      Download
    • memory/752-35-0x0000000002600000-0x0000000002604000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1060-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1512-6-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1512-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1596-2-0x0000000072631000-0x0000000072634000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1596-7-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1596-3-0x00000000700B1000-0x00000000700B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1596-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1620-23-0x000000001AB10000-0x000000001AB12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1620-21-0x0000000002360000-0x0000000002361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1620-22-0x000000001AB90000-0x000000001AB91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1620-24-0x000000001AB14000-0x000000001AB16000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1620-25-0x00000000027D0000-0x00000000027D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1620-30-0x00000000025B0000-0x00000000025B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1620-20-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1620-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1748-19-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1748-28-0x000000001AB70000-0x000000001AB72000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1748-29-0x000000001AB74000-0x000000001AB76000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1748-15-0x0000000000000000-mapping.dmp
      Download