Overview

overview

10

Static

static

10

03b96ab568...9.docm

windows7-x64

7

03b96ab568...9.docm

windows10-2004-x64

1

Analysis

  • max time kernel
    135s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03b96ab568d5a4a8d53ee14b6a571bf0fd5de50b6db02555420de7cf3d9737e9.docm

  • Size

    83KB

  • MD5

    342eac015ea7361729f6fb1506ac4ef1

  • SHA1

    e46dd99f1e3dd352abd161f1e8d61aebc062d6a6

  • SHA256

    03b96ab568d5a4a8d53ee14b6a571bf0fd5de50b6db02555420de7cf3d9737e9

  • SHA512

    6ae4ce90d9966f16bc5220c926ec29aab6250e4928f87201084e84269de2f748b6bb27da611751cd521299946e3050c0e8b277c3bb142adf2a44636e822fdb90

  • SSDEEP

    1536:1mS1WExOoRX51j1BPpoynaSlqx1JxpHj3Sc7g2Qh8eH6LG/:AS1XRJHB2yrlqx1Jxh3Sc7g2Qh1aq/

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\03b96ab568d5a4a8d53ee14b6a571bf0fd5de50b6db02555420de7cf3d9737e9.docm"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1356-54-0x00000000724B1000-0x00000000724B4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1356-55-0x000000006FF31000-0x000000006FF33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1356-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1356-57-0x0000000075091000-0x0000000075093000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1356-58-0x0000000070F1D000-0x0000000070F28000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1356-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1356-62-0x0000000070F1D000-0x0000000070F28000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1476-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-60-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
      Filesize

      8KB

      Download