Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 02:55

General

  • Target

    comn701bul.dotm

  • Size

    23KB

  • MD5

    12f938b403dc7d335c21703b67d23f81

  • SHA1

    24a2355e905f6f6328830506077033e789941fa4

  • SHA256

    ff70cb7fbe9723660b9a8e46ca828b31432be1abcd6fa372f934f0c702cfaeae

  • SHA512

    e37f7a0aecfbe4aedd2171f878a232f193643c8870dd1ba5aa3a121c8ad284f4181a3d45ff6a0b1856961699aa7a6795a6694dac803fe83bb7123781fb8c69cf

  • SSDEEP

    384:tmt4EDRI4j9hk9Z2Z5Yt2vE9Ar6Fjle+gq1ei+4Nxt/ZtNNTNKXY1/Ln4Whcjqhm:q4uphhcXAr6Fjle+f7ZxllN/ddOWHg

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\comn701bul.dotm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cpl
      C:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cpl
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks -create -tn "MicrosoftUpdateStatisticCore Task-S-1-5-21-2629973501-4017243118-3254762364-1000" /XML C:\Users\Admin\AppData\Roaming\Microsoft\Tsk.xml
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks -create -tn "MicrosoftUpdateStatisticCore Task-S-1-5-21-2629973501-4017243118-3254762364-1000" /XML C:\Users\Admin\AppData\Roaming\Microsoft\Tsk.xml
          4⤵
            PID:3580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cpl

      Filesize

      87KB

      MD5

      f512ab1d4a38bdfe39451bf678f6bbae

      SHA1

      f4d0be2ed6febb20b16e3cd0807a58c5efed7ea1

      SHA256

      601243aef0e2f9e945dc5ae5324517d31726f452acd54543cc106d691687710e

      SHA512

      d9c84b35f9b3504ca2214113e1325b44f13fd9b5171f8475789b935241316f335c14c9c80ef20aabc7236a21cb17e11ad5ebccff4f08d56f6c75f4c8e19c7bad

    • C:\Users\Admin\AppData\Roaming\Microsoft\MsUpdate.cpl

      Filesize

      87KB

      MD5

      f512ab1d4a38bdfe39451bf678f6bbae

      SHA1

      f4d0be2ed6febb20b16e3cd0807a58c5efed7ea1

      SHA256

      601243aef0e2f9e945dc5ae5324517d31726f452acd54543cc106d691687710e

      SHA512

      d9c84b35f9b3504ca2214113e1325b44f13fd9b5171f8475789b935241316f335c14c9c80ef20aabc7236a21cb17e11ad5ebccff4f08d56f6c75f4c8e19c7bad

    • C:\Users\Admin\AppData\Roaming\Microsoft\Tsk.xml

      Filesize

      1KB

      MD5

      8d503de4bfa7a3df51772667b00c7720

      SHA1

      768de237b92796ad74f5aeb392ebe4302a32feab

      SHA256

      1ddc33fbec13a39e53946a319ac045908a28d191f326b600e81cf69e88d87488

      SHA512

      8e5de4984001cb2784f39d033b321fe537ecd376530748e0e7a4225eec1e907cdc181b0da529cee90ce70b52da06e42c2037f5f0be67950d7fb86a471fdbf349

    • memory/1440-133-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-137-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

      Filesize

      64KB

    • memory/1440-138-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

      Filesize

      64KB

    • memory/1440-136-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-134-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-135-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-132-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-146-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-147-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-148-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB

    • memory/1440-149-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

      Filesize

      64KB