Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    30-09-2021 08:53

General

  • Target

    Inq PO-000202120741.doc

  • Size

    535KB

  • MD5

    4ef6b1fa16f352e1969080579b832ee3

  • SHA1

    d4b85b188ad50ef69c1a238b979a1db7f0d4970d

  • SHA256

    29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b

  • SHA512

    85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inq PO-000202120741.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:2756

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_3f64\AC\Temp\FLA8E8.tmp

    MD5

    f8619e01a08514e4d00d75cc4136e190

    SHA1

    3477cd2a1aee1500576d49ca8343bed286b4dab6

    SHA256

    f3bcfa3b579b37a2a388b808862050b7c0439df24b24c650ba14e780059bede2

    SHA512

    328348f21e4f363975f2fbe7f85704dd72b84051196f3a4e53c60eb05511be5a85c9edfb0701d0b59566cd77490f93999262120353119602c012d0ad7b3e0149

  • memory/2384-124-0x00007FF957280000-0x00007FF95836E000-memory.dmp

    Filesize

    16.9MB

  • memory/2384-118-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2384-119-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2384-121-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2384-120-0x00007FF95BA70000-0x00007FF95E593000-memory.dmp

    Filesize

    43.1MB

  • memory/2384-116-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2384-125-0x00007FF954C00000-0x00007FF956AF5000-memory.dmp

    Filesize

    31.0MB

  • memory/2384-117-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2756-362-0x0000000000000000-mapping.dmp

  • memory/2756-364-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2756-365-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2756-366-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB

  • memory/2756-367-0x00007FF93B1B0000-0x00007FF93B1C0000-memory.dmp

    Filesize

    64KB