Analysis

  • max time kernel
    106s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 05:52

General

  • Target

    7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc

  • Size

    568KB

  • MD5

    a04e3ee9cb2acac19938a07d3baff511

  • SHA1

    faecd33c4243d60dd3f2f1c9762cad86c580167f

  • SHA256

    7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc

  • SHA512

    68fe12990abcef919be6abd36829ee002b82b94be57242eb33b0eb107d6d093f31db2e01556609af0fca9f0af01c7e8ae3a5e77794bd1144b0e9e69c2a71e9a1

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c certutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe
          3⤵
            PID:592
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\\Sign.exe
          2⤵
          • Process spawned unexpected child process
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Users\Admin\AppData\Local\Temp\Sign.exe
            C:\Users\Admin\AppData\Local\Temp\\Sign.exe
            3⤵
            • Executes dropped EXE
            PID:548

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Sign.exe

        Filesize

        113KB

        MD5

        3cd5fa46507657f723719b7809d2d1f9

        SHA1

        34ddc14b9a04eba98c3aa1cb27033e12ec847e03

        SHA256

        a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

        SHA512

        c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442

      • C:\Users\Admin\AppData\Local\Temp\Sign.exe

        Filesize

        113KB

        MD5

        3cd5fa46507657f723719b7809d2d1f9

        SHA1

        34ddc14b9a04eba98c3aa1cb27033e12ec847e03

        SHA256

        a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

        SHA512

        c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442

      • C:\Users\Admin\AppData\Local\Temp\Signature.crt

        Filesize

        301KB

        MD5

        5e152c07eeecd3ac87ab006512995335

        SHA1

        2d6e81becabd69ef59b15daf63616011ace87540

        SHA256

        f2de986d091c3d27fb083ab124cdd437275afc287da1aa83a62f391f3f6b56f7

        SHA512

        2deb4c5ea8dbf5e77b0c2d3af3e75d985f585ea435a5da9ce83ad710e44c81f424027de09c13c207d8cd0a6e3467e474f1df360efd11245b1207d796a618cb9c

      • \Users\Admin\AppData\Local\Temp\Sign.exe

        Filesize

        113KB

        MD5

        3cd5fa46507657f723719b7809d2d1f9

        SHA1

        34ddc14b9a04eba98c3aa1cb27033e12ec847e03

        SHA256

        a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

        SHA512

        c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442

      • memory/548-73-0x00000000002D0000-0x00000000002E0000-memory.dmp

        Filesize

        64KB

      • memory/548-72-0x00000000003F0000-0x0000000000416000-memory.dmp

        Filesize

        152KB

      • memory/548-71-0x000000001B300000-0x000000001B302000-memory.dmp

        Filesize

        8KB

      • memory/548-70-0x0000000001160000-0x0000000001182000-memory.dmp

        Filesize

        136KB

      • memory/876-54-0x0000000072E61000-0x0000000072E64000-memory.dmp

        Filesize

        12KB

      • memory/876-59-0x00000000718CD000-0x00000000718D8000-memory.dmp

        Filesize

        44KB

      • memory/876-57-0x0000000075E31000-0x0000000075E33000-memory.dmp

        Filesize

        8KB

      • memory/876-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/876-55-0x00000000708E1000-0x00000000708E3000-memory.dmp

        Filesize

        8KB

      • memory/876-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/900-60-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

        Filesize

        8KB