Overview

overview

10

Static

static

8

document.docm

windows7_x64

10

document.docm

windows10_x64

10

Resubmissions

10-05-2021 16:09

210510-xlvqhs6j76 10

10-05-2021 15:27

210510-ydc6x3dhja 10

Analysis

  • max time kernel
    75s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-05-2021 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document.docm

  • Size

    68KB

  • MD5

    da3992522a61736e5dbc5c32978f05fe

  • SHA1

    670f0d608571fa8d799a98232cf2c16e8ccb9289

  • SHA256

    e6afaabd1e4a2c7adeedca6ee0ed095271a53a293162e3cf7ed52d570279258e

  • SHA512

    a2c3eee48add8eabf4fbe86a9e699fda302c143823f6ea3a629becf03d3d539aacfeabce52514e4b73e0db6d827031aec13e576a113f0aec92d0f7eb92f1c32a

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 22 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.docm"
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1668
      • C:\Windows\SysWOW64\mshta.exe
        mshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\AppData\Local\Temp\task-8764.exe
          "C:\Users\Admin\AppData\Local\Temp\task-8764.exe"
          3⤵
          • Executes dropped EXE
          PID:316

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\task-8764.exe
      MD5

      f0d563e989c1724797d84173dc310504

      SHA1

      9c1bf71dfccd9662e144348af7bf9e512af21c1c

      SHA256

      a6d2541ce15998d2e4d7e819e0b66f32b8b4734985ad4a1e295d1e14ee21ee7f

      SHA512

      0d7c03c4db2e1ec53cd047fadf79a564515713a394a7d0a712529cad82eeb0fd40c54490917fa84b09cf793e0d2da69d7434711438667a4f0e8c2ddeb2bfb78c

      Download Submit
    • \Users\Admin\AppData\Local\Temp\task-8764.exe
      MD5

      f0d563e989c1724797d84173dc310504

      SHA1

      9c1bf71dfccd9662e144348af7bf9e512af21c1c

      SHA256

      a6d2541ce15998d2e4d7e819e0b66f32b8b4734985ad4a1e295d1e14ee21ee7f

      SHA512

      0d7c03c4db2e1ec53cd047fadf79a564515713a394a7d0a712529cad82eeb0fd40c54490917fa84b09cf793e0d2da69d7434711438667a4f0e8c2ddeb2bfb78c

      Download Submit
    • memory/316-68-0x0000000000000000-mapping.dmp
      Download
    • memory/428-65-0x0000000000000000-mapping.dmp
      Download
    • memory/688-60-0x0000000072651000-0x0000000072654000-memory.dmp
      Filesize

      12KB

      Download
    • memory/688-61-0x00000000700D1000-0x00000000700D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/688-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/688-66-0x00000000054C0000-0x00000000054D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1668-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-64-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
      Filesize

      8KB

      Download