Analysis
-
max time kernel
149s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-12-2022 14:44
General
-
Target
Nicht bestätigt 670541.docm
-
Size
77KB
-
MD5
c0142660f90819bbeaa50a7f1661cbd6
-
SHA1
31b94e4cf8eaa656851c071c7e3da0c7cba0ffc8
-
SHA256
8d94a2f6cde012fbf6d57dee0d9abc7ea7d4f2d61704c2adfe6a7c95ae5b6fd9
-
SHA512
ad96f573bf5d91cae8b931cb73571cbd9f284ea32fb6454b007c1a46bce1ce4f878322e541d36256c28f5c8da31a43129a0d12d966da81673a315dc61a715d8d
-
SSDEEP
1536:IKHoj+0QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQg:IKHQDEUNFu+E
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 31 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 670541.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c echo for /L %%z in (1,1,50) do ping 172.25.1.%%z -w 10 -n 3 -l 666>%temp%\666.bat2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\cmd.execmd /c %temp%\666.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.1 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.2 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.3 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.4 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.5 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.6 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.7 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.8 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.9 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.10 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.11 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.12 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.13 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.14 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.15 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.16 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.17 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.18 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.19 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.20 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.21 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.22 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.23 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.24 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.25 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.26 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.27 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.28 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.29 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.30 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 172.25.1.31 -w 10 -n 3 -l 6663⤵
- Runs ping.exe
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\666.batFilesize
63B
MD5e8e77eee6e8fc21d0d1e640e71699921
SHA1d265b2d5e2233360b26e2df6b2027ed1277684c6
SHA256ae463c86e5db04b404622cb92baedfcc65f0767b109bd09d2017eacb89f73acc
SHA51241a4ef3b047c4f27cf6bd0da73a7a89130892fcea8afeabdd5320caf572e2a68ccf14202a9f3cacdec196320c409741068711c158cced49b487ac85cbd068585
-
memory/240-92-0x0000000000000000-mapping.dmp
-
memory/340-79-0x0000000000000000-mapping.dmp
-
memory/592-91-0x0000000000000000-mapping.dmp
-
memory/596-96-0x0000000000000000-mapping.dmp
-
memory/840-74-0x0000000000000000-mapping.dmp
-
memory/840-88-0x0000000000000000-mapping.dmp
-
memory/848-85-0x0000000000000000-mapping.dmp
-
memory/872-69-0x000000007157D000-0x0000000071588000-memory.dmpFilesize
44KB
-
memory/872-60-0x0000000000321000-0x0000000000325000-memory.dmpFilesize
16KB
-
memory/872-59-0x0000000000321000-0x0000000000325000-memory.dmpFilesize
16KB
-
memory/872-58-0x000000007157D000-0x0000000071588000-memory.dmpFilesize
44KB
-
memory/872-54-0x0000000072B11000-0x0000000072B14000-memory.dmpFilesize
12KB
-
memory/872-57-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/872-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/872-55-0x0000000070591000-0x0000000070593000-memory.dmpFilesize
8KB
-
memory/932-72-0x0000000000000000-mapping.dmp
-
memory/968-64-0x0000000000000000-mapping.dmp
-
memory/1032-94-0x0000000000000000-mapping.dmp
-
memory/1068-81-0x0000000000000000-mapping.dmp
-
memory/1068-95-0x0000000000000000-mapping.dmp
-
memory/1164-93-0x0000000000000000-mapping.dmp
-
memory/1164-65-0x0000000000000000-mapping.dmp
-
memory/1252-80-0x0000000000000000-mapping.dmp
-
memory/1276-77-0x0000000000000000-mapping.dmp
-
memory/1340-61-0x0000000000000000-mapping.dmp
-
memory/1468-70-0x0000000000000000-mapping.dmp
-
memory/1492-86-0x0000000000000000-mapping.dmp
-
memory/1512-76-0x0000000000000000-mapping.dmp
-
memory/1512-90-0x0000000000000000-mapping.dmp
-
memory/1516-87-0x0000000000000000-mapping.dmp
-
memory/1564-78-0x0000000000000000-mapping.dmp
-
memory/1584-66-0x0000000000000000-mapping.dmp
-
memory/1584-67-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmpFilesize
8KB
-
memory/1604-89-0x0000000000000000-mapping.dmp
-
memory/1604-75-0x0000000000000000-mapping.dmp
-
memory/1712-62-0x0000000000000000-mapping.dmp
-
memory/1768-68-0x0000000000000000-mapping.dmp
-
memory/1904-71-0x0000000000000000-mapping.dmp
-
memory/1948-82-0x0000000000000000-mapping.dmp
-
memory/1948-97-0x0000000000000000-mapping.dmp
-
memory/1972-73-0x0000000000000000-mapping.dmp
-
memory/2020-84-0x0000000000000000-mapping.dmp
-
memory/2024-83-0x0000000000000000-mapping.dmp