Overview

overview

10

Static

static

8

document.docm

windows7_x64

10

document.docm

windows10_x64

10

Resubmissions

10-05-2021 16:09

210510-xlvqhs6j76 10

10-05-2021 15:27

210510-ydc6x3dhja 10

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-05-2021 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document.docm

  • Size

    68KB

  • MD5

    da3992522a61736e5dbc5c32978f05fe

  • SHA1

    670f0d608571fa8d799a98232cf2c16e8ccb9289

  • SHA256

    e6afaabd1e4a2c7adeedca6ee0ed095271a53a293162e3cf7ed52d570279258e

  • SHA512

    a2c3eee48add8eabf4fbe86a9e699fda302c143823f6ea3a629becf03d3d539aacfeabce52514e4b73e0db6d827031aec13e576a113f0aec92d0f7eb92f1c32a

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.docm" /o ""
    1⤵
    • Enumerates connected drives
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:504
      • C:\Windows\SYSTEM32\mshta.exe
        mshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Users\Admin\AppData\Local\Temp\task-7655.exe
          "C:\Users\Admin\AppData\Local\Temp\task-7655.exe"
          3⤵
          • Executes dropped EXE
          PID:1292

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\task-7655.exe
      MD5

      ff9114e748fe6848ffe61cad56a10622

      SHA1

      92d27cf7f04ae2213bc94fafa554247565ea7253

      SHA256

      6f406656b410d72762ddc2419076efadc16d07e9a1e7b10fd91e9c53281efe06

      SHA512

      6ec36ab0c2df6046ca2b1251cc736753892fd8514366ee8b395e276e5c31fe6e6c743ea94c7b5b8a63b773584bf3ad788d3be77c3d3ad2cdb2b62aab15c4a54e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\task-7655.exe
      MD5

      ff9114e748fe6848ffe61cad56a10622

      SHA1

      92d27cf7f04ae2213bc94fafa554247565ea7253

      SHA256

      6f406656b410d72762ddc2419076efadc16d07e9a1e7b10fd91e9c53281efe06

      SHA512

      6ec36ab0c2df6046ca2b1251cc736753892fd8514366ee8b395e276e5c31fe6e6c743ea94c7b5b8a63b773584bf3ad788d3be77c3d3ad2cdb2b62aab15c4a54e

      Download Submit
    • memory/504-179-0x0000000000000000-mapping.dmp
      Download
    • memory/508-119-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-181-0x000001AB0F530000-0x000001AB0F540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-118-0x00007FF970E10000-0x00007FF973933000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/508-122-0x00007FF969780000-0x00007FF96A86E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/508-123-0x00007FF967880000-0x00007FF969775000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/508-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-114-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-183-0x000001AB0F530000-0x000001AB0F540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-184-0x000001AB0F530000-0x000001AB0F540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-182-0x000001AB0F540000-0x000001AB0F550000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-185-0x000001AB0F530000-0x000001AB0F540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-186-0x000001AB0F530000-0x000001AB0F540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/508-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1292-187-0x0000000000000000-mapping.dmp
      Download
    • memory/3988-180-0x0000000000000000-mapping.dmp
      Download