Overview

overview

10

Static

static

8

49303ee1dd...d7.doc

windows7_x64

10

49303ee1dd...d7.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49303ee1dd10a23c5fccd5ef4559ffbbd3e03b2adc4ec37175eb52ada1ad0bd7.doc

  • Size

    4.7MB

  • MD5

    d6bb808b52a7dd0b1897904851eddae4

  • SHA1

    b7ea8f182792e226442c79330bc7da821a84d838

  • SHA256

    49303ee1dd10a23c5fccd5ef4559ffbbd3e03b2adc4ec37175eb52ada1ad0bd7

  • SHA512

    697a152d76f08fe4a8461f319e645660f660b1c313df8d4e18b43c20366b8d538461607592a335fce0ec5f44867f11afd0c85f50b4afb859b54557f4a7d7da5b

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\49303ee1dd10a23c5fccd5ef4559ffbbd3e03b2adc4ec37175eb52ada1ad0bd7.doc"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1556
      • C:\Windows\SysWOW64\tracert.exe
        "C:\Windows\system32\tracert.exe"
        2⤵
        • Process spawned unexpected child process
        PID:1344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\commiserations.dll
      Filesize

      10KB

      MD5

      bc378baf3efc517a7f65634d81fa6d00

      SHA1

      4b5225a860d134ada25bc851e6ce9b4ad1b87052

      SHA256

      8d09edcc59e855d965a0ad7195110794057a245b7b3185d24ec1f9a1e29b247d

      SHA512

      e9d3138018e10e03c3de5ea203b88d01bf5b4295d3e65db4f8eb5939c041af788b40c2dd0b6dd8756c1f18528f6dba2e3b361f4686f738801ccf67ef9d6067fb

      Download Submit
    • \Users\Admin\AppData\Local\Temp\commiserations.dll
      Filesize

      61KB

      MD5

      86faa6a43cfd1a43fed41a8a679f6d34

      SHA1

      824840b17a58d57388a8423710bcd33f7e97d2d8

      SHA256

      e40676c68e10dc56eb078e1a49b33b692e2dc8b5da61642f9b9cc805844faff0

      SHA512

      6a08fda3aef001fce4f36e634c924d232a9da86e0c1646b7b3f3078c17471e36e57eb7762c98cc9c887fbced277befea9332b63ce4c6f1e7af04ca3cdef50691

      Download Submit
    • memory/1344-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-59-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-64-0x0000000005AD0000-0x0000000005AD7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1684-60-0x000000007121D000-0x0000000071228000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1684-57-0x00000000752D1000-0x00000000752D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1684-55-0x0000000070231000-0x0000000070233000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-54-0x00000000727B1000-0x00000000727B4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1684-66-0x0000000006680000-0x00000000066B3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1684-67-0x0000000009770000-0x0000000009900000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1684-68-0x000000000A0D0000-0x000000000A200000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1684-70-0x0000000008100000-0x0000000008158000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1684-73-0x000000000AEA0000-0x000000000AF2E000-memory.dmp
      Filesize

      568KB

      Download
    • memory/1684-74-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download