Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 19:36
General
-
Target
20e34ba4bc010f84a75d72ee6dad0b1a0524b56fa5268deb84a3d88c4ed87880.docm
-
Size
255KB
-
MD5
ed3b4e9f3e4ecaa892a385bf73637b7d
-
SHA1
cbe4f0dfe65091ac454323821a87bf4811a4b985
-
SHA256
20e34ba4bc010f84a75d72ee6dad0b1a0524b56fa5268deb84a3d88c4ed87880
-
SHA512
bfc5f7db658e893bffe4bc08b4916d1478349198b1b80c822ece134689f171c8ce5334893150cbb6cbacd98f5f8ae4489dcf5a86006f0ffc802057e0eacd7fb1
Malware Config
Extracted
metasploit
windows/reverse_http
http://intranet.iml-bank.info:8443/bYdlO5EaAdxEN0U2HZnuJgNIg3DW9OTJnb8evXSt58vYMLdYSI0mna6_pJRRxZXDbngIH_8E88XkC337M3U3EQJNFwHQJtiw8a8bTNqNcc-niwQ-nqOBcnfqorz6aMGUvym9oK5dH3ctbP8zV
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20e34ba4bc010f84a75d72ee6dad0b1a0524b56fa5268deb84a3d88c4ed87880.docm"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeFilesize
72KB
MD5644b38db200b8f0d59fc74c8e252d519
SHA1a293c6ee0fc92e62c22ac1186441a8ef81231403
SHA256aa2b79a78eac63315d2c20a89f28fd1261d9d5e96434c2e015b7dad8e5a043f0
SHA5124908fe977c23fd98bc06082fa8e247fc37661b94878f3271ff4fba067c37d51ca67464b1e0eac1b3ed695cc6416c474260cd7f454518b9ce96af0e8733378a65
-
\Users\Admin\AppData\Local\Temp\file.exeFilesize
72KB
MD5644b38db200b8f0d59fc74c8e252d519
SHA1a293c6ee0fc92e62c22ac1186441a8ef81231403
SHA256aa2b79a78eac63315d2c20a89f28fd1261d9d5e96434c2e015b7dad8e5a043f0
SHA5124908fe977c23fd98bc06082fa8e247fc37661b94878f3271ff4fba067c37d51ca67464b1e0eac1b3ed695cc6416c474260cd7f454518b9ce96af0e8733378a65
-
\Users\Admin\AppData\Local\Temp\file.exeFilesize
72KB
MD5644b38db200b8f0d59fc74c8e252d519
SHA1a293c6ee0fc92e62c22ac1186441a8ef81231403
SHA256aa2b79a78eac63315d2c20a89f28fd1261d9d5e96434c2e015b7dad8e5a043f0
SHA5124908fe977c23fd98bc06082fa8e247fc37661b94878f3271ff4fba067c37d51ca67464b1e0eac1b3ed695cc6416c474260cd7f454518b9ce96af0e8733378a65
-
memory/684-1222-0x0000000000000000-mapping.dmp
-
memory/892-1219-0x0000000000000000-mapping.dmp
-
memory/1376-97-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-59-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1376-96-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-58-0x000000007159D000-0x00000000715A8000-memory.dmpFilesize
44KB
-
memory/1376-95-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-72-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-71-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-75-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-94-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-103-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-118-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-117-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-209-0x0000000005F10000-0x0000000006010000-memory.dmpFilesize
1024KB
-
memory/1376-207-0x0000000005F10000-0x0000000006010000-memory.dmpFilesize
1024KB
-
memory/1376-116-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-115-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-114-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-113-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-112-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-111-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-110-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-109-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-108-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-107-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-106-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-105-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-104-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-102-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-101-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-100-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-99-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-98-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-54-0x0000000072B31000-0x0000000072B34000-memory.dmpFilesize
12KB
-
memory/1376-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1376-93-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-55-0x00000000705B1000-0x00000000705B3000-memory.dmpFilesize
8KB
-
memory/1376-92-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-91-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-90-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-89-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-88-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-87-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-86-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-85-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-84-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-83-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-82-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-81-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-80-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-79-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-78-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-77-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-76-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-74-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-73-0x00000000002A1000-0x00000000002A5000-memory.dmpFilesize
16KB
-
memory/1376-70-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-69-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-68-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-67-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-66-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-65-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-64-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-63-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-62-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-61-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-60-0x0000000005F24000-0x0000000005F2D000-memory.dmpFilesize
36KB
-
memory/1376-1223-0x0000000005F10000-0x0000000006010000-memory.dmpFilesize
1024KB
-
memory/1376-1225-0x000000007159D000-0x00000000715A8000-memory.dmpFilesize
44KB
-
memory/1376-1226-0x0000000005F10000-0x0000000006010000-memory.dmpFilesize
1024KB
-
memory/1376-1228-0x000000007159D000-0x00000000715A8000-memory.dmpFilesize
44KB