Analysis
-
max time kernel
124s -
max time network
172s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-05-2021 12:44
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT_Scanned_Copy.docx
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SWIFT_Scanned_Copy.docx
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
SWIFT_Scanned_Copy.docx
-
Size
10KB
-
MD5
8978e01416dade3b6e6ed2ab2b178e3e
-
SHA1
13494691e4ffff350328020c5c9f222c76c321b4
-
SHA256
1a9633b148ef8d1dce830ed9b9b849a2e7da2cc35bed3646032cd9eb1eef4f39
-
SHA512
b271645dd4d759d1fff95f215d1fa228ed97761131270970addea84374c3acd80116d285eaf5907a56147e233d59cc0ec34c4b85b6025306c24cef77b1a910a4
Score
7/10
Malware Config
Signatures
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://linkzip.me/w1veZ WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 1092 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE 1092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1092 wrote to memory of 2028 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 2028 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 2028 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 2028 1092 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFT_Scanned_Copy.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-59-0x0000000072391000-0x0000000072394000-memory.dmpFilesize
12KB
-
memory/1092-60-0x000000006FE11000-0x000000006FE13000-memory.dmpFilesize
8KB
-
memory/1092-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1092-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2028-62-0x0000000000000000-mapping.dmp
-
memory/2028-63-0x000007FEFB891000-0x000007FEFB893000-memory.dmpFilesize
8KB