Analysis

  • max time kernel
    101s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:08

General

  • Target

    5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc

  • Size

    509KB

  • MD5

    1cc3e165448a1507ce5e59b18a7de037

  • SHA1

    1f88a72ea7e6819edbe8af361e2258d661fc9ea5

  • SHA256

    5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776

  • SHA512

    c01b6cd16f7075882250f8fa4bda864e8f7373afae637118ac20b6d3ffd9a371a46f9df86eedd69a7df63d867f0cd8714fc317e54e722dd6f5a348cd16f4861f

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1936
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
        2⤵
        • Process spawned unexpected child process
        • Opens file in notepad (likely ransom note)
        PID:544
      • C:\Windows\SysWOW64\wbem\WMIC.exe
        "C:\Windows\System32\wbem\WMIC.exe"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of AdjustPrivilegeToken
        PID:1100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
      Filesize

      7KB

      MD5

      3d7e774c6fed5ea2f050b6c8a3d26392

      SHA1

      48d0a0060de4bc856f250e80e56d102ad2b261d1

      SHA256

      b1a4b4aa4387e862963c207cff2f3c7db1d56a497f69531151017aeb2ae11ccc

      SHA512

      1678e4794ca71b94c1ee15fda6d20b85937afb2a66d3fc6a30600f166ca8becfd009cd3f96fe2f4067451ef94e2969b94890ce2125b8abd5e30b0d806e4d1875

    • C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/544-77-0x0000000000000000-mapping.dmp
    • memory/908-57-0x00000000763E1000-0x00000000763E3000-memory.dmp
      Filesize

      8KB

    • memory/908-59-0x00000000710AD000-0x00000000710B8000-memory.dmp
      Filesize

      44KB

    • memory/908-61-0x00000000004AA000-0x00000000004AE000-memory.dmp
      Filesize

      16KB

    • memory/908-62-0x00000000004AA000-0x00000000004AE000-memory.dmp
      Filesize

      16KB

    • memory/908-54-0x0000000072641000-0x0000000072644000-memory.dmp
      Filesize

      12KB

    • memory/908-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/908-55-0x00000000700C1000-0x00000000700C3000-memory.dmp
      Filesize

      8KB

    • memory/908-116-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1100-114-0x0000000000000000-mapping.dmp
    • memory/1936-58-0x0000000000000000-mapping.dmp
    • memory/1936-60-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp
      Filesize

      8KB