Overview

overview

10

Static

static

10

01/2015.5.27/01.vir

windows7_x64

3

01/2015.5.27/01.vir

windows10_x64

3

PER-DCOMP-...ao.dll

windows7_x64

1

PER-DCOMP-...ao.dll

windows10_x64

1

01/2015.5.27/03.exe

windows7_x64

8

01/2015.5.27/03.exe

windows10_x64

8

01/2015.5.27/04.exe

windows7_x64

1

01/2015.5.27/04.exe

windows10_x64

1

01/2015.5.27/05.exe

windows7_x64

10

01/2015.5.27/05.exe

windows10_x64

10

01/2015.5.27/07.exe

windows7_x64

7

01/2015.5.27/07.exe

windows10_x64

7

01/2015.5.27/09.exe

windows7_x64

10

01/2015.5.27/09.exe

windows10_x64

10

01/2015.5.27/10.exe

windows7_x64

10

01/2015.5.27/10.exe

windows10_x64

10

01/2015.5.27/12.pdf

windows7_x64

1

01/2015.5.27/12.pdf

windows10_x64

1

01/2015.5.27/13.pdf

windows7_x64

1

01/2015.5.27/13.pdf

windows10_x64

1

01/2015.5.27/14.exe

windows7_x64

8

01/2015.5.27/14.exe

windows10_x64

8

01/2015.5.27/15.dll

windows7_x64

1

01/2015.5.27/15.dll

windows10_x64

1

01/2015.5.27/16.rtf

windows7_x64

10

01/2015.5.27/16.rtf

windows10_x64

1

01/2015.5.27/17.pdf

windows7_x64

1

01/2015.5.27/17.pdf

windows10_x64

1

01/2015.5.27/18.doc

windows7_x64

1

01/2015.5.27/18.doc

windows10_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01/2015.5.27/16.rtf

  • Size

    645KB

  • MD5

    4be96ff0f019a966dcf941121d9c4708

  • SHA1

    b699d9c175ad5e05cfe32fb4bf560af9d2501df5

  • SHA256

    28dc42f7c79bc17885a992211492b5c34cedf62d496dea3e179fcbc553c95a17

  • SHA512

    2218b56c96e51f42a31250ae9cae8b1249b919966d30c615ed9488c63b1164820f86108b10c202362e86ccc5a1046f0ccf5fc89f948e65a827d7d606903af777

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\16.rtf"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:300
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec.exe
          3⤵
          • Adds policy Run key to start application
          • Modifies Internet Explorer Phishing Filter
          • Suspicious behavior: EnumeratesProcesses
          PID:920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp
      MD5

      b1247bab4bc611e49ae0d3c2b9e8a86b

      SHA1

      04476bf6c86e10e651befb2c4733e1ea69e10be0

      SHA256

      1b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6

      SHA512

      99a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp
      MD5

      b1247bab4bc611e49ae0d3c2b9e8a86b

      SHA1

      04476bf6c86e10e651befb2c4733e1ea69e10be0

      SHA256

      1b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6

      SHA512

      99a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp
      MD5

      b1247bab4bc611e49ae0d3c2b9e8a86b

      SHA1

      04476bf6c86e10e651befb2c4733e1ea69e10be0

      SHA256

      1b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6

      SHA512

      99a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2

      Download Submit
    • memory/300-59-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/920-72-0x0000000000120000-0x0000000000137000-memory.dmp
      Filesize

      92KB

      Download
    • memory/992-71-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/992-68-0x0000000000400000-0x000000000040F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1540-58-0x0000000075D61000-0x0000000075D63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1540-61-0x00000000070D0000-0x000000000722C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1540-60-0x0000000006450000-0x0000000006460000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1540-55-0x00000000720C1000-0x00000000720C4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1540-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1540-56-0x000000006FB41000-0x000000006FB43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1544-65-0x00000000003C0000-0x00000000003C2000-memory.dmp
      Filesize

      8KB

      Download