Overview

overview

10

Static

static

8

cb1ae1de_b...is.doc

windows7_x64

10

cb1ae1de_b...is.doc

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb1ae1de_by_Libranalysis.doc

  • Size

    1.4MB

  • MD5

    cb1ae1de9487edd65c2201f1f4a36e3c

  • SHA1

    80cb89663d148dd302301e9f66b37d1c3de91a59

  • SHA256

    e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845

  • SHA512

    0b08cfac486dc87256ddbe467bc185ba96e71b3a6865a9fe1ad3390290166e528147e705267f02a8903dce28da3f99674c3d24d4d628d1ff5db7a9656f080fe6

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    PID:3052
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cb1ae1de_by_Libranalysis.doc" /o ""
      2⤵
      • Deletes itself
      • Checks processor information in registry
      • Enumerates system info in registry
      • NTFS ADS
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: RenamesItself
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c md c:\Drivers
        3⤵
        • Process spawned unexpected child process
        PID:3836
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /b C:\Windows\system32\certut*.exe c:\Drivers\DriverUpdateFx.exe
        3⤵
        • Process spawned unexpected child process
        PID:1592
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /b c:\Drivers\DriverGFE.tmp+c:\Drivers\DriverGFXCoin.tmp c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverGFE.tmp & del c:\Drivers\DriverGFXCoin.tmp
        3⤵
        • Process spawned unexpected child process
        PID:2736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp & del c:\Drivers\DriverCPHS.tmp & del c:\Drivers\DriverUpdateFx.exe
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3740
        • \??\c:\Drivers\DriverUpdateFx.exe
          c:\Drivers\DriverUpdateFx.exe -decode c:\Drivers\DriverCPHS.tmp c:\Drivers\DriverGFX.tmp
          4⤵
          • Executes dropped EXE
          PID:2272
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c mavinject.exe 3052 /injectrunning c:\Drivers\DriverGFX.tmp
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Windows\system32\mavinject.exe
          mavinject.exe 3052 /injectrunning c:\Drivers\DriverGFX.tmp
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Drivers\DriverUpdateFx.exe
    MD5

    056c7d065f4622da9cc2848f47e2bae2

    SHA1

    6c6f18b0ec53dc63488961c4240ec584ac71c25f

    SHA256

    e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

    SHA512

    db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    MD5

    94dd92c631ff6cdab4d68169342baf3e

    SHA1

    d8b3f0feb1e44d0dbe18de815e252454c404e1dc

    SHA256

    1ba2615fa0c16024b23b34b7f14e596397dde9686a47454a5d317af83d755e9a

    SHA512

    975f5576ca97c83ecf34d7c0c3b7c01afa635c726cc9c8b182e1e1ec9c6b6bc6d5db2f807e88dca126a324b609b669ac0dd21f25c5bed5b3787bbc666c429c19

    Download Submit
  • \??\c:\Drivers\DriverCPHS.tmp
    MD5

    4d8ea25779a892048e02c716c8742758

    SHA1

    12ff47a0d2c60535ec77ff08222cae1064ac4c7d

    SHA256

    8f20bd7ac51caeca497981db33a9a660616f7358af4fdbd132a7e6f6349d5567

    SHA512

    22faa91fcefce8c3031f2c39505192789e22be0dc56180e1fdea6ddcd943fe550ae899a4cb2524f7695f4579bc48c9f0fcf8db5df790f439959b29994cde3052

    Download Submit
  • \??\c:\Drivers\DriverGFE.tmp
    MD5

    271ddf829afeece44d8732757fba1a66

    SHA1

    56ab49a5c68f11cc45c651da6a3f339eff2853f8

    SHA256

    ca62d5e073f52f3ceb83f72d4d70d4fcd8b1ed041cddfb02ccfbbe1f90134f05

    SHA512

    b61c7b5a882f363569058106c96d43856e6ab71587c4426ca48ae4979b7c12cf55faca0b09c2db500521cc0814bfcc022d5f16ed7090327b83865dfa8801baed

    Download Submit
  • \??\c:\Drivers\DriverGFX.tmp
    MD5

    1417f890248f193bb241f6b458ae4a97

    SHA1

    b2dfcbd8c3966ebed9275db7b14e359412db9963

    SHA256

    5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe

    SHA512

    384d7b43c9732c4f159266d0b2fa0956e304ba1efff1ac7a89ecc7baf5833bf08cdce713f474a9c0850a01d3e076f0deb96fcb857b106e4a994c0c600f586a2e

    Download Submit
  • \??\c:\Drivers\DriverGFXCoin.tmp
    MD5

    76e0da32c9363d0df0614641dcfe555c

    SHA1

    96056fde433b03372e5dd75d5cd1eafbe54a8174

    SHA256

    b063ee39c58d04210dddcdf4824f4658a5d47181ddaef01f5a3c82c89d2ce849

    SHA512

    be120b13ee68de5bbf7d4e8ff9d582c73510d6288705c42e1d4b74062790643ea253c6a927ae00b5b6c36b1aa7cd177b4972c59bccdc647afe716a5bd92d6433

    Download Submit
  • \??\c:\Drivers\DriverUpdateFx.exe
    MD5

    056c7d065f4622da9cc2848f47e2bae2

    SHA1

    6c6f18b0ec53dc63488961c4240ec584ac71c25f

    SHA256

    e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c

    SHA512

    db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5

    Download Submit
  • \Drivers\DriverGFX.tmp
    MD5

    1417f890248f193bb241f6b458ae4a97

    SHA1

    b2dfcbd8c3966ebed9275db7b14e359412db9963

    SHA256

    5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe

    SHA512

    384d7b43c9732c4f159266d0b2fa0956e304ba1efff1ac7a89ecc7baf5833bf08cdce713f474a9c0850a01d3e076f0deb96fcb857b106e4a994c0c600f586a2e

    Download Submit
  • memory/192-190-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-180-0x0000000000000000-mapping.dmp
    Download
  • memory/2272-185-0x0000000000000000-mapping.dmp
    Download
  • memory/2736-181-0x0000000000000000-mapping.dmp
    Download
  • memory/3172-114-0x00007FF9B87B0000-0x00007FF9B87C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3172-123-0x00007FF9D1040000-0x00007FF9D2F35000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/3172-122-0x00007FF9D2F40000-0x00007FF9D402E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/3172-118-0x00007FF9DA230000-0x00007FF9DCD53000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/3172-119-0x00007FF9B87B0000-0x00007FF9B87C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3172-117-0x00007FF9B87B0000-0x00007FF9B87C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3172-116-0x00007FF9B87B0000-0x00007FF9B87C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3172-115-0x00007FF9B87B0000-0x00007FF9B87C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3740-184-0x0000000000000000-mapping.dmp
    Download
  • memory/3836-179-0x0000000000000000-mapping.dmp
    Download
  • memory/3996-189-0x0000000000000000-mapping.dmp
    Download