Overview

overview

10

Static

static

10

Quote 2405987021.docx

windows7_x64

10

Quote 2405987021.docx

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    25-05-2021 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 2405987021.docx

  • Size

    10KB

  • MD5

    992acd038fd49f200bd5510c029e74b1

  • SHA1

    f1a0abb5f96c21f8a799e4f65c4216bd968c29b7

  • SHA256

    5274c7fea16b84e327d5af683b6ef0c3e1fe1649b6cea88399e029ed5deeee6f

  • SHA512

    e08e069138e70fc13ce97ccd1f5b99c763d5b23f90773f8248a4ca5b6e3dc3e71ef277f1dd365c71e58b960b221f0ff5479694baf10a66ca6079431ff84eef10

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quote 2405987021.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe
      "C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"
      2⤵
      • Process spawned unexpected child process
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdb
    MD5

    421ece614d1ebe221f99e3d9e8f59773

    SHA1

    02877fb6f1e63f1bf48eb2e610cec1bb066ae30e

    SHA256

    74e8ee9b8dd2d81c275e7bb1f641a1ee9555298b9224cc6c8c576d93bb0a6fa0

    SHA512

    30daf5fe0a80e070e1389edf48d5a0ad6ded3f9f790d382d240d80c454d66e0bb61d43fa1e36e4495c9c97f7e68b3cce4e068bd3dc802674f1decc084e25d078

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
    MD5

    6a4185d3246b15d5e3fa6f9f59c94ba4

    SHA1

    b500c294fa82165c48ed63903a1572e99fc1a975

    SHA256

    450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

    SHA512

    a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdb
    MD5

    6a4185d3246b15d5e3fa6f9f59c94ba4

    SHA1

    b500c294fa82165c48ed63903a1572e99fc1a975

    SHA256

    450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978

    SHA512

    a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746

    Download Submit
  • memory/2600-179-0x0000000000000000-mapping.dmp
    Download
  • memory/2600-182-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4656-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4656-122-0x00007FFA54150000-0x00007FFA5523E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4656-123-0x00007FFA52250000-0x00007FFA54145000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/4656-118-0x00007FFA592C0000-0x00007FFA5BDE3000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4656-119-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4656-114-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4656-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4656-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp
    Filesize

    64KB

    Download