Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-12-2021 16:49

General

  • Target

    Payment Report.cmd.exe

  • Size

    3.7MB

  • MD5

    5c63755d604b0c51a551a2c964bae024

  • SHA1

    3ac1db094834057c5bcfc1f5a0fc0a62aa019a08

  • SHA256

    7a9f38126a3ac9cbc015c96e8c63d78c8fba697b4684ea8ac5bc8e687bd9d7be

  • SHA512

    4e745d572c3255e13d7206593834b84e88cfcfbb7a34955f2f72511a1a5d64d21a85b18e1258a8f884de1ea599c2d20273358a63885b4f7f38989a7dc664761e

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Report.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Report.cmd.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
      2⤵
        PID:572
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /vu "C:\Users\Admin\Desktop\UnprotectInitialize.rtf"
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/572-57-0x0000000000000000-mapping.dmp

    • memory/636-58-0x0000000072EB1000-0x0000000072EB4000-memory.dmp

      Filesize

      12KB

    • memory/636-59-0x0000000070931000-0x0000000070933000-memory.dmp

      Filesize

      8KB

    • memory/636-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/636-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1704-54-0x0000000000300000-0x0000000000306000-memory.dmp

      Filesize

      24KB

    • memory/1704-55-0x0000000000300000-0x000000000030A000-memory.dmp

      Filesize

      40KB

    • memory/1704-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

      Filesize

      8KB