Overview

overview

10

Static

static

paymen_invoice.doc

windows7_x64

10

paymen_invoice.doc

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    303s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    06-09-2021 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    paymen_invoice.doc

  • Size

    340KB

  • MD5

    285d05dd2a3a053e5095f09b609fca64

  • SHA1

    668f3a6f6fa038bdbcd0e57d32783f37c259469d

  • SHA256

    e31f5bfd01e6d5876991d6aae68921b7510090d880d2602ed57032e7d14a9cae

  • SHA512

    1db0f843078059020981aba55b5fe40d72ec5cc1aa0903353bde23e28299cfd732435760f80e7423c7b999e64e810090bfbaa2f90609aa426cd79074c655c407

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\paymen_invoice.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_11eb\AC\Temp\FLB1.tmp
    MD5

    ae720cf66d854deb4ecea0095c029628

    SHA1

    3b44dfbafab60de167791c77bf3f614ee0d55835

    SHA256

    511bf1022bab4c800620456e839abb2320e913d6e6ef8f4e093801e6b96d09b8

    SHA512

    1d1e001028c2100a73fff478c39914bb0dc48c584aeed22eed899627851e3d325125a08541d174dbcf2d09c060a2377bcd96c38ddcce075ab7c44a5350773350

    Download Submit
  • memory/1796-293-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-311-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1796-304-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1796-329-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1796-308-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-119-0x00007FFAC7E90000-0x00007FFACA9B3000-memory.dmp
    Filesize

    43.1MB

    Download
  • memory/4688-124-0x00007FFAC0400000-0x00007FFAC22F5000-memory.dmp
    Filesize

    31.0MB

    Download
  • memory/4688-123-0x00007FFAC2C50000-0x00007FFAC3D3E000-memory.dmp
    Filesize

    16.9MB

    Download
  • memory/4688-118-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-117-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-115-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-116-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-120-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-471-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-472-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-473-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-474-0x00007FFAA7060000-0x00007FFAA7070000-memory.dmp
    Filesize

    64KB

    Download