Overview

overview

10

Static

static

Purchase Orde.doc

windows7_x64

10

Purchase Orde.doc

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Orde.doc

  • Size

    229KB

  • MD5

    15eb68a65e9ac7367a6e6bdf51eee30a

  • SHA1

    d988bf603a28bcb2c031f00101ee83509c0bce1b

  • SHA256

    ed60103a8a1837ed4691670a5307539ec832cf3ad076d6afe3bbf06c84ad4511

  • SHA512

    e86382cc89ac3d79551b2721dc44cfcb987d73151bb539a2436123f5863c1f57c902ac348be494322ff25cfb8628354df9e8f7cdac71ef605ca8a70172c5924b

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Orde.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_3151\AC\Temp\FL3C05.tmp
    MD5

    a1c152aaffb7f8a93459a078af3327e5

    SHA1

    d3fd009c47e1547f420f1b623b5235bcc2a96e4a

    SHA256

    74dd5bd170dcb5f6367dfb73172edf198443d5425b9b93d2b5897a304a0e1245

    SHA512

    a13d39b1b305ea5246e7e471933f4d38620614b7313a05f00196013d9f007d32a856d239beeaeb4cd9773ffa2f97b8124c8137af7d5244cbed11a0561decff09

    Download Submit
  • memory/196-298-0x0000000000000000-mapping.dmp
    Download
  • memory/196-354-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/196-323-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/196-319-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/196-314-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4056-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4056-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/4056-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4056-118-0x00007FF846BB0000-0x00007FF8496D3000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4056-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4056-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4056-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4056-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
    Filesize

    64KB

    Download