Overview

overview

10

Static

static

Quote Requ...10.doc

windows7_x64

10

Quote Requ...10.doc

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-04-2021 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote Request #7779510.doc

  • Size

    295KB

  • MD5

    56031cae7ff0acf6da4b77070c607774

  • SHA1

    c9f9047e53d83becc7c6076c899a703f1e6e1a76

  • SHA256

    ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447

  • SHA512

    5ec0385f97e866da8316f9d84ec4148fbfa9a069510a71aad28b1a1a6b71d05a3155d63d8ae5e341e3123ed9441ff6b8a6a9202a5798665ecce42d3b46e53265

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quote Request #7779510.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_35a5\AC\Temp\FL5CDB.tmp
    MD5

    2b30fa679c8ac3fe5437bc0b00cd0b59

    SHA1

    24a4ecc1197d83d031ae83b02c6e13d9ae242bbc

    SHA256

    60f174927eea85d926fe6fa3d18297a507d098a419fb3bd1b27ce615da686da8

    SHA512

    dbf26d3629a4fd1ead8964acad15fbed58331122f13bd4bf04e9692eab0d4bc8326469ab01bf484d2bd7c9f442bf4e1272833323b6b30cd9cd7e44c810f4ccdb

    Download Submit
  • memory/2876-179-0x0000000000000000-mapping.dmp
    Download
  • memory/2876-181-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-114-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-118-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4024-119-0x00007FFAAA370000-0x00007FFAACE93000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4024-122-0x00007FFAA4990000-0x00007FFAA5A7E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4024-123-0x00007FFAA2A90000-0x00007FFAA4985000-memory.dmp
    Filesize

    31.0MB

    Download