Overview

overview

6

Static

static

7231a857b6...0c.doc

windows7-x64

6

7231a857b6...0c.doc

windows10-2004-x64

1

Analysis

  • max time kernel
    239s
  • max time network
    334s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7231a857b66701bfe5376fb1399e609f6222fbe5bf208b87717dcf1dd1d82c0c.doc

  • Size

    149KB

  • MD5

    d6666b060d7c43d75def5eaaed8190e9

  • SHA1

    5c32a4e4c3d69a95e00a981a67f5ae36c7aae05e

  • SHA256

    7231a857b66701bfe5376fb1399e609f6222fbe5bf208b87717dcf1dd1d82c0c

  • SHA512

    a0ec5e4d868c7a1a0fcd07d6460fb2da6f20a730ad747e231514ca8566edabd2f3e4360782c0c71e354a26a76e2d2dc040243de6fd1dd823fb335ed031f6c816

  • SSDEEP

    3072:T4pq6txD0Ny0bp88aehsdc87SNUirOPLItUv5t3R:EfiFpaGl3iItUTh

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7231a857b66701bfe5376fb1399e609f6222fbe5bf208b87717dcf1dd1d82c0c.doc"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:892
      • C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
        "C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1268
        2⤵
        • Process spawned suspicious child process
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\SysWOW64\dwwin.exe
          C:\Windows\system32\dwwin.exe -x -s 1268
          3⤵
            PID:528

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7339940.cvr
        Filesize

        1KB

        MD5

        198079455066c7924a180eb4e0bb71fb

        SHA1

        9392d47fe4271e8ba1d77097eae76647b21eb822

        SHA256

        3f4f647aa7b51e32c6a004a344b6abfecd1f39984bb85a79c28efacd2fee2108

        SHA512

        a8fbdfd9aa6e7d16565e8c692627abc45b1091c9fd2f5970c7d42c353c40f332914f20601d59be10d6a225b2d46ebd33fad62ff8a14fdfa675016c753b59b18a

        Download Submit

      • memory/892-60-0x000007FEFBF61000-0x000007FEFBF63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1924-54-0x0000000072B01000-0x0000000072B04000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1924-55-0x0000000070581000-0x0000000070583000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1924-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1924-57-0x0000000076771000-0x0000000076773000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1924-58-0x000000007156D000-0x0000000071578000-memory.dmp

        Filesize

        44KB

        Download