Overview

overview

6

Static

static

dbfa530321...cb.rtf

windows7-x64

6

dbfa530321...cb.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 21:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dbfa530321052ec0b4750739cf263be49ebef363bd5e90f8e109fb915273d2cb.rtf

  • Size

    440KB

  • MD5

    7acfdbaaba6d65eb7f71f6ee454325aa

  • SHA1

    299bc7d358904fe95f7140faf361aea266c02ea3

  • SHA256

    dbfa530321052ec0b4750739cf263be49ebef363bd5e90f8e109fb915273d2cb

  • SHA512

    97796c0303ee46d6d81ddc9410c21a0c60d055b40355f0cc8a8da396282a8d348c719b61328e00c7e55073b915a495fd07743ed3a624a9743268623da7364914

  • SSDEEP

    6144:p8oyFqbMz1+Y+uhu8KWaDqG5JMnwrvk4iX5zh2H1Yyv9Sfk/Nhatc:NQvMwo8wIM79h

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dbfa530321052ec0b4750739cf263be49ebef363bd5e90f8e109fb915273d2cb.rtf"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
      "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 980
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 980
        3⤵
          PID:1288

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7149759.cvr
            Filesize

            896B

            MD5

            43567da9136b7799d2633dd437ab7a1c

            SHA1

            9290d28b4e612353208df3d9cc24788041651881

            SHA256

            b44ee9bb25fadd974dbe91436a84860c56fa87f4d53561160175367b68846c4f

            SHA512

            6eadfa88371c6d90d11115de5076f6f6f64935f763e138c800215113e495e34d71a4881f262c269a9c66f28612bc3aabe37e3c4cf75f4d54d470529405329495

            Download Submit

          • memory/1920-54-0x00000000726D1000-0x00000000726D4000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1920-55-0x0000000070151000-0x0000000070153000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1920-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1920-57-0x0000000076121000-0x0000000076123000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1920-58-0x000000007113D000-0x0000000071148000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1920-64-0x000000007113D000-0x0000000071148000-memory.dmp

            Filesize

            44KB

            Download