Analysis

  • max time kernel
    116s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 05:52

General

  • Target

    7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc

  • Size

    568KB

  • MD5

    a04e3ee9cb2acac19938a07d3baff511

  • SHA1

    faecd33c4243d60dd3f2f1c9762cad86c580167f

  • SHA256

    7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc

  • SHA512

    68fe12990abcef919be6abd36829ee002b82b94be57242eb33b0eb107d6d093f31db2e01556609af0fca9f0af01c7e8ae3a5e77794bd1144b0e9e69c2a71e9a1

Score
10/10

Malware Config

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\system32\certutil.exe
        certutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe
        3⤵
          PID:4020
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\\Sign.exe
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Users\Admin\AppData\Local\Temp\Sign.exe
          C:\Users\Admin\AppData\Local\Temp\\Sign.exe
          3⤵
          • Executes dropped EXE
          PID:4928

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Sign.exe

      Filesize

      113KB

      MD5

      3cd5fa46507657f723719b7809d2d1f9

      SHA1

      34ddc14b9a04eba98c3aa1cb27033e12ec847e03

      SHA256

      a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

      SHA512

      c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442

    • C:\Users\Admin\AppData\Local\Temp\Sign.exe

      Filesize

      113KB

      MD5

      3cd5fa46507657f723719b7809d2d1f9

      SHA1

      34ddc14b9a04eba98c3aa1cb27033e12ec847e03

      SHA256

      a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9

      SHA512

      c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442

    • C:\Users\Admin\AppData\Local\Temp\Signature.crt

      Filesize

      301KB

      MD5

      5e152c07eeecd3ac87ab006512995335

      SHA1

      2d6e81becabd69ef59b15daf63616011ace87540

      SHA256

      f2de986d091c3d27fb083ab124cdd437275afc287da1aa83a62f391f3f6b56f7

      SHA512

      2deb4c5ea8dbf5e77b0c2d3af3e75d985f585ea435a5da9ce83ad710e44c81f424027de09c13c207d8cd0a6e3467e474f1df360efd11245b1207d796a618cb9c

    • memory/2708-130-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-134-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-133-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-153-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-132-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-131-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-151-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-143-0x000001E6BB21D000-0x000001E6BB21F000-memory.dmp

      Filesize

      8KB

    • memory/2708-152-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/2708-150-0x00007FF9E2AF0000-0x00007FF9E2B00000-memory.dmp

      Filesize

      64KB

    • memory/4928-142-0x0000000000630000-0x0000000000652000-memory.dmp

      Filesize

      136KB

    • memory/4928-147-0x000000001B460000-0x000000001B622000-memory.dmp

      Filesize

      1.8MB

    • memory/4928-148-0x000000001BB60000-0x000000001C088000-memory.dmp

      Filesize

      5.2MB

    • memory/4928-149-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

      Filesize

      64KB

    • memory/4928-146-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

      Filesize

      152KB

    • memory/4928-145-0x000000001B280000-0x000000001B282000-memory.dmp

      Filesize

      8KB

    • memory/4928-144-0x00007FF9F83C0000-0x00007FF9F8E81000-memory.dmp

      Filesize

      10.8MB