Overview

overview

10

Static

static

10

proforma invoice.docx

windows7_x64

8

proforma invoice.docx

windows10_x64

1

Analysis

  • max time kernel
    141s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    proforma invoice.docx

  • Size

    10KB

  • MD5

    82f8c629f87ee2817431ee1caae6500c

  • SHA1

    39ab645187be422bef46f84c50e8dde6e382383a

  • SHA256

    1e5c7d755892b33d04097940dbc716232e7bde143119d25b282c532c242b5f7a

  • SHA512

    638b4f924fac05dd81a7063cdef8bd71172ccb12223f64a746ab919d70613bc75c83c1fd861cee7f3402de1c6d8b9e77e8363d17bea904b5dcb13635e73edc43

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\proforma invoice.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1804
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      PID:1484

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1484-63-0x0000000075161000-0x0000000075163000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1484-64-0x00000000043A0000-0x0000000004564000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1724-60-0x0000000072121000-0x0000000072124000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1724-61-0x000000006FBA1000-0x000000006FBA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1724-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1804-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-66-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
      Filesize

      8KB

      Download