Overview

overview

10

Static

static

8

313a743ed5...37.doc

windows7-x64

10

313a743ed5...37.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37.doc

  • Size

    115KB

  • MD5

    7cf2a5dfb0c0777e0670aea29cb3a97b

  • SHA1

    ddbcdccf41d8386ae5183415c3ce139a6a010efb

  • SHA256

    313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37

  • SHA512

    e87fbf56de867d4b895db24dd7c7abb2fedfcf020ed004e636bb5bf4b5b51b8f9a2da534b7077eab822b42f939891c217ca162d4b1334bf3ded7bbc611fbb92c

  • SSDEEP

    3072:WFJ6s9d9fP4LvppgFS8tvJpIl/2016CMnryG1e:bs9grpwSQpIl7IryMe

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://officeredir.microsoft.com/r/rlidUNLGenuine?LCID=1033&MSG=2&PID=02260-018-0000106-48606
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1728
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1832
    • C:\Windows\system32\wscript.exe
      wscript.exe //e:vbscript //b C:\Users\Admin\AppData\Roaming\Microsoft\Templates\1589989024.xml
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:1912

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\1589989024.xml
      Filesize

      190B

      MD5

      eb7426a8b9e544057246dbb2027d6f3f

      SHA1

      8646086619816068ffcdde0d440dee3b45db3a18

      SHA256

      65e4b48d32aececc74fcecbee233ab8d83e60199c6e7b0b0aeaf55d1652fd607

      SHA512

      60b36164e7e7cc078d9097990680ee2233662d015918abc5a9ff5a797003f702a5cb1de640272678642cd806aa02bc37120aa9ba7f619fe87f64e737a14ca00e

      Download Submit

    • memory/1832-104-0x0000000000000000-mapping.dmp

      Download

    • memory/1912-102-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1956-63-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-71-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-59-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-60-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-62-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-61-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-64-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-54-0x0000000072281000-0x0000000072284000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1956-65-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-58-0x0000000070CED000-0x0000000070CF8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1956-77-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-83-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-89-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-95-0x000000000037A000-0x0000000000380000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1956-57-0x0000000075141000-0x0000000075143000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1956-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1956-103-0x0000000070CED000-0x0000000070CF8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1956-55-0x000000006FD01000-0x000000006FD03000-memory.dmp

      Filesize

      8KB

      Download