Overview

overview

10

Static

static

8

dictate-010.21.doc

windows7_x64

10

dictate-010.21.doc

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dictate-010.21.doc

  • Size

    34KB

  • MD5

    27c6e3a95419811dade0a91336ed78ba

  • SHA1

    1cb11df53cb076607bb6c3aac65c9efd7238e5c0

  • SHA256

    aa8f2b060e929883fab4209f54d43b5c7ac75d98926180a61c13eca889cddeb3

  • SHA512

    d83ff89f2a06d0ee3913bad17262cf0bcacdc9a1147592458e7ba79dc63a9a592ea5d1e12c3c96d15d55bfe435eb015a12a019c0114a318733d5508ca3f8f0c9

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate-010.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaYouCaroline.hta"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" c:\users\public\seaLadyLine.jpg
        3⤵
          PID:1224
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1716

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\users\public\seaYouCaroline.hta
        MD5

        836cfe47fac47e317b075e1221957676

        SHA1

        5f55dd4c8572c8c5e52bafca8c89e1ad0d97e11f

        SHA256

        ae195755cd0ed8279ea7f7666a420fa45afb4863839999a3f541264213ffa175

        SHA512

        cf99e94fe171e8ee9df723b68105e197c79999eaa9dfde1a2bb7d456473c8ef2637f6b05495b9ad021bc60d5abd561794fd13833ed6e1e48e90307376c5b0585

        Download Submit
      • \??\c:\users\public\seaLadyLine.jpg
        MD5

        504f2870481c875c03373249cdf38e49

        SHA1

        7f34068ef0f8b8208003aec1e2f6742125c47acf

        SHA256

        57ce0aa9c7767160043b7b4e0778043697ee1ee90c05409325a82007a7ef7c5f

        SHA512

        2c5e35de54a4f8658b01d144d5d1ba935cb851badcc96993492be298452ea7d0036bdfbc1d6e1091fecd074a400e31b53e1f7f4211bddf6d515bfbe6952535aa

        Download Submit
      • memory/320-54-0x0000000072441000-0x0000000072444000-memory.dmp
        Filesize

        12KB

        Download
      • memory/320-55-0x000000006FEC1000-0x000000006FEC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/320-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/320-57-0x00000000757B1000-0x00000000757B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/320-67-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1224-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1224-66-0x0000000000210000-0x0000000000211000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1716-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1716-62-0x000007FEFB951000-0x000007FEFB953000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1972-58-0x0000000000000000-mapping.dmp
        Download