Overview

overview

10

Static

static

8

Dokumente ...59.doc

windows7-x64

10

Dokumente ...59.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2023 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dokumente 2023.08.03_1559.doc

  • Size

    527.3MB

  • MD5

    275353a6dc348d9dc9336bbf718a8b1d

  • SHA1

    5b8b9e95b9d6e97261526a86ba780bd58b536314

  • SHA256

    87942501af3e7ac7e2c2957b53081c26a38cf53bd81f981a051e337309a2be78

  • SHA512

    21a94611439c4e6d08004c686a0c1c89f0d1aaf36a918a547521d1fe7e7cf3e6781d3132e088816e96b12c81643b351dcf29ebdacf4eb50ff25d40fb6cf8452c

  • SSDEEP

    3072:2JX29m8QBUoItA/leC6gSJ+2JiclnUOvrRxqmLcHeNJxPkdVdTRcDK6:2EmleC6gSJWclU0RxVLcHe5cdTR

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Dokumente 2023.08.03_1559.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\100147.tmp"
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\100147.tmp"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HLhhfdcsJMyiXUM\PejrgTefSI.dll"
          4⤵
            PID:1560
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:332

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\100147.tmp
        Filesize

        527.5MB

        MD5

        d4d306a6d9d1ae637e0cfacf04f7431a

        SHA1

        68b7fb0aa0d65569aa62937620f58a50bd3e9fdd

        SHA256

        a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

        SHA512

        d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\100153.zip
        Filesize

        821KB

        MD5

        f1ec7bd22e219fdb389f5e2a0a8132df

        SHA1

        fe8cf0aa2da1a147024c82ac45989795e5b467e0

        SHA256

        8582757782e4048ba84898de0953c7c9710d84c2e764d1fca8b1d393c436dbc8

        SHA512

        2b77027da8f0811f7cfc3735e579c4fd7e3506d85fa78ad667e88bd43dc0ab376d2b8b0c6aab3d35678810a9ee6e589b93d60aa481239ad3acf91cadc88f4969

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        ce0c899c5d7bf1fa33dd5d6e2f8968fd

        SHA1

        4e06c92082c536db4b6390ef150e0804fd041ac4

        SHA256

        0dec34b7ccd3493ceacc82e3b723d2cba5afb24dd1a74953bc1c28d95d01da59

        SHA512

        223ac7db69d2df80f8cfde965811734899d9e2919337edbac4c6914efd97e1d2748b64af4a30d96c2657e3f9d63162febd2d791aae2c928fb1e1198a20e979be

        Download Submit

      • \Users\Admin\AppData\Local\Temp\100147.tmp
        Filesize

        527.5MB

        MD5

        d4d306a6d9d1ae637e0cfacf04f7431a

        SHA1

        68b7fb0aa0d65569aa62937620f58a50bd3e9fdd

        SHA256

        a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

        SHA512

        d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c

        Download Submit

      • \Users\Admin\AppData\Local\Temp\100147.tmp
        Filesize

        527.5MB

        MD5

        d4d306a6d9d1ae637e0cfacf04f7431a

        SHA1

        68b7fb0aa0d65569aa62937620f58a50bd3e9fdd

        SHA256

        a6e1b44ccb61a67b8e16ddc67eccacdd4b9b31a9de1fd048793c5c46b22337e2

        SHA512

        d473a2c746eba2b0add8252f5d44eca39b5a862978de80bc8e0d83f3adfee4601f21bcba3f63caa4fda02fc4c79cae704ac0905f4c938af8abbc2381332f682c

        Download Submit

      • memory/1292-1766-0x0000000000130000-0x0000000000131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1560-1771-0x00000000002F0000-0x00000000002F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1572-102-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-107-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-87-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-86-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-85-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-90-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-92-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-91-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-93-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-94-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-95-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-97-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-96-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-98-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-99-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-100-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-101-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1572-104-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-103-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-105-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-88-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-106-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-109-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-108-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-111-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-110-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-112-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-113-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-115-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-116-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-114-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-139-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-89-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-1509-0x0000000006340000-0x0000000006341000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1572-80-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-81-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-82-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-84-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-83-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1572-1772-0x0000000006340000-0x0000000006341000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1572-79-0x0000000000500000-0x0000000000600000-memory.dmp

        Filesize

        1024KB

        Download