Overview

overview

10

Static

static

8

cb1ae1de_b...is.doc

windows7_x64

10

cb1ae1de_b...is.doc

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-05-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1ae1de_by_Libranalysis.doc

  • Size

    1.4MB

  • MD5

    cb1ae1de9487edd65c2201f1f4a36e3c

  • SHA1

    80cb89663d148dd302301e9f66b37d1c3de91a59

  • SHA256

    e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845

  • SHA512

    0b08cfac486dc87256ddbe467bc185ba96e71b3a6865a9fe1ad3390290166e528147e705267f02a8903dce28da3f99674c3d24d4d628d1ff5db7a9656f080fe6

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cb1ae1de_by_Libranalysis.doc"
    1⤵
    • Deletes itself
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c md c:\Drivers
      2⤵
      • Process spawned unexpected child process
      PID:1988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\Windows\system32\certut*.exe c:\Drivers\DriverUpdateFx.exe
      2⤵
      • Process spawned unexpected child process
      PID:1944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp
      2⤵
      • Process spawned unexpected child process
      PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1352
      • \??\c:\Drivers\DriverUpdateFx.exe
        c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp
        3⤵
        • Executes dropped EXE
        PID:1496
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mavinject.exe 1212 /injectrunning c:\Drivers\DriverGFX.tmp
      2⤵
      • Process spawned unexpected child process
      PID:1032
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Drivers\DriverUpdateFx.exe
      MD5

      7b973145f7e1b59330ca4dd1f86b3d55

      SHA1

      10ce9174bff4856083e6adad0094a798ced2c079

      SHA256

      589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

      SHA512

      1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

      Download Submit
    • \??\c:\Drivers\DriverCPHS.tmp
      MD5

      4d8ea25779a892048e02c716c8742758

      SHA1

      12ff47a0d2c60535ec77ff08222cae1064ac4c7d

      SHA256

      8f20bd7ac51caeca497981db33a9a660616f7358af4fdbd132a7e6f6349d5567

      SHA512

      22faa91fcefce8c3031f2c39505192789e22be0dc56180e1fdea6ddcd943fe550ae899a4cb2524f7695f4579bc48c9f0fcf8db5df790f439959b29994cde3052

      Download Submit
    • \??\c:\Drivers\DriverGFE.tmp
      MD5

      271ddf829afeece44d8732757fba1a66

      SHA1

      56ab49a5c68f11cc45c651da6a3f339eff2853f8

      SHA256

      ca62d5e073f52f3ceb83f72d4d70d4fcd8b1ed041cddfb02ccfbbe1f90134f05

      SHA512

      b61c7b5a882f363569058106c96d43856e6ab71587c4426ca48ae4979b7c12cf55faca0b09c2db500521cc0814bfcc022d5f16ed7090327b83865dfa8801baed

      Download Submit
    • \??\c:\Drivers\DriverGFXCoin.tmp
      MD5

      76e0da32c9363d0df0614641dcfe555c

      SHA1

      96056fde433b03372e5dd75d5cd1eafbe54a8174

      SHA256

      b063ee39c58d04210dddcdf4824f4658a5d47181ddaef01f5a3c82c89d2ce849

      SHA512

      be120b13ee68de5bbf7d4e8ff9d582c73510d6288705c42e1d4b74062790643ea253c6a927ae00b5b6c36b1aa7cd177b4972c59bccdc647afe716a5bd92d6433

      Download Submit
    • \??\c:\Drivers\DriverUpdateFx.exe
      MD5

      7b973145f7e1b59330ca4dd1f86b3d55

      SHA1

      10ce9174bff4856083e6adad0094a798ced2c079

      SHA256

      589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

      SHA512

      1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

      Download Submit
    • \Drivers\DriverUpdateFx.exe
      MD5

      7b973145f7e1b59330ca4dd1f86b3d55

      SHA1

      10ce9174bff4856083e6adad0094a798ced2c079

      SHA256

      589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

      SHA512

      1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

      Download Submit
    • memory/1032-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1352-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1496-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1496-73-0x0000000076A01000-0x0000000076A03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1760-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-60-0x0000000072E81000-0x0000000072E84000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1796-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1796-61-0x0000000070901000-0x0000000070903000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1796-78-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1832-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1832-77-0x000007FEFC381000-0x000007FEFC383000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1944-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1988-63-0x0000000000000000-mapping.dmp
      Download