Overview

overview

8

Static

static

8

d04079c569...2.docm

windows7-x64

8

d04079c569...2.docm

windows10-2004-x64

1

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12.docm

  • Size

    113KB

  • MD5

    5d8928dc78c56a0409076ed13d22b451

  • SHA1

    b5bf3ddcf2cec0e245fc46543ff466e3a5928e5a

  • SHA256

    d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12

  • SHA512

    163aa5229215c3eca955b8f6fa1a6aa8350349d1214ff2d7e530db94b69ba3ea6953f04629d0420664f4b882e1713e76e2edbdad5c75e4bc4654afd617374ed6

  • SSDEEP

    3072:6xoHcq4x+WSfxLkDuNqZcuepmjWKFzS2T:6W8q4x+WSpLkDUqOpQWkzPT

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d04079c569863276bf4a135096b68fbafc6bb2679ac10b41b4af40f30d6fbb12.docm"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\ntuserssc.exe
      C:\Users\Admin\AppData\ntuserssc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\SysWOW64\cmd.exe
        cmd /D /R type "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" > ___ && move /Y ___ "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
        3⤵
          PID:1644
        • C:\Windows\SysWOW64\cmd.exe
          cmd /D /R ping -n 10 localhost && del "C:\Users\Admin\AppData\ntuserssc.exe" && start /B "" "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe" && exit
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:1908
          • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
            "C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe"
            4⤵
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            PID:1684
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:540

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • C:\Users\Admin\AppData\ntuserssc.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • C:\Users\Admin\AppData\ntuserssc.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • \Users\Admin\AppData\Roaming\Windows\winlogin.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • \Users\Admin\AppData\ntuserssc.exe
        Filesize

        164KB

        MD5

        8f89b4e98b7574f28c0e4512ee1b4da1

        SHA1

        08ed57b47fdbc4d7d48ddce52c6e5171c383d486

        SHA256

        585b38c11e98a2c5891d7f4cbee40bb919ea19ceb12705eabab21dccb10b1328

        SHA512

        9f0f2a477993645fbe7df17ef9e690401977d9a77cd29e86044d6e8fb7506ce2e5b2f80b410253bd8b94f0c4f958055cd1cc3387337e47589edb311500850249

        Download Submit
      • memory/540-112-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/540-111-0x0000000000000000-mapping.dmp
        Download
      • memory/1084-102-0x0000000000000000-mapping.dmp
        Download
      • memory/1084-104-0x0000000001FE0000-0x0000000002119000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1644-106-0x0000000000000000-mapping.dmp
        Download
      • memory/1684-115-0x0000000000000000-mapping.dmp
        Download
      • memory/1684-117-0x0000000000B80000-0x0000000000CB9000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1744-109-0x0000000000000000-mapping.dmp
        Download
      • memory/1908-110-0x0000000000000000-mapping.dmp
        Download
      • memory/1968-70-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-94-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-72-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-74-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-73-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-75-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-76-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-77-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-78-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-79-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-80-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-82-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-81-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-84-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-83-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-85-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-87-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-86-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-88-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-90-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-89-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-91-0x00000000004CF000-0x00000000004D1000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-92-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-93-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-95-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-71-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-96-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-97-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-98-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-99-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-100-0x00000000004CF000-0x00000000004D1000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-54-0x0000000072021000-0x0000000072024000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1968-69-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-67-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-68-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-65-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-66-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-63-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-108-0x0000000070A8D000-0x0000000070A98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1968-64-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-62-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-61-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-59-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-60-0x00000000004CF000-0x00000000004D3000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1968-58-0x0000000070A8D000-0x0000000070A98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1968-57-0x0000000074AB1000-0x0000000074AB3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1968-55-0x000000006FAA1000-0x000000006FAA3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1968-119-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1968-120-0x0000000070A8D000-0x0000000070A98000-memory.dmp
        Filesize

        44KB

        Download