Analysis

  • max time kernel
    152s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 10:29

General

  • Target

    4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm

  • Size

    387KB

  • MD5

    565717192a35dacce33823a8a7f5f897

  • SHA1

    542a54656018b6417320a84deb8e92ffec8d58c6

  • SHA256

    4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214

  • SHA512

    e16272d638f4cf43aad99072311adacc812c794c82f7b2adaa8a511959eb51d9b9ce534d0927c90d88e17b599732ac8c217e09673889d14eb34b888494d07177

Score
10/10

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ostap

    Ostap is a JS downloader, used to deliver other families.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\MyImages\presskey.cmd
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo C:\MyImages\presskey.jse
        3⤵
          PID:1636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1668-55-0x0000000072F01000-0x0000000072F04000-memory.dmp

      Filesize

      12KB

    • memory/1668-56-0x0000000070981000-0x0000000070983000-memory.dmp

      Filesize

      8KB

    • memory/1668-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1668-58-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

      Filesize

      8KB

    • memory/1668-59-0x0000000006280000-0x0000000006ECA000-memory.dmp

      Filesize

      12.3MB

    • memory/1668-64-0x0000000007C90000-0x000000000809F000-memory.dmp

      Filesize

      4.1MB