Resubmissions

12-07-2023 11:10

230712-m933vsdh3s 10

12-07-2023 11:08

230712-m8v1vsdh21 8

Analysis

  • max time kernel
    300s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2023 11:10

General

  • Target

    sysrar.doc

  • Size

    36KB

  • MD5

    7f447856ffce83300397a38af2fafb09

  • SHA1

    308af1464252d8a3274d1d5ee3fde0decf321728

  • SHA256

    903eda2289b5fccc26aaf44a2b7ffbcf1b48ba3b81f7095698a7a42f208c7984

  • SHA512

    c9f79f23ebd0abab989678fa5b2ab94f444b536001be4d687e4360631d4a7f3938d20fbc17d1995a8b90599b004fd77e40b73de5887f3eb7cc1b14e79d9a3809

  • SSDEEP

    384:JDU1iSX3mSBqEIXxsjkev1a8MD32suJcXNBB3Su0jijm:5uqzBs4evozD32JJcXLEud

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sysrar.doc"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2332
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe"
        2⤵
        • Process spawned unexpected child process
        • Enumerates connected drives
        PID:1784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      75B

      MD5

      7a5a68d0e91e1b577a3e90bb9a36d162

      SHA1

      38cb36650e5e4a70b217cf11c14d7ed27dfe4703

      SHA256

      1f7afb73ea91c8cca5754b4c0d88fde275de2b4207766dd81d87d1ec5adf2c1e

      SHA512

      4da8164951f4374690d2d53fd6df865ecc355e1b9a9f3d5ec03b393fec6f56d29ddc691ce4c24f79db49b0ef0c1bfa83bb918ca22ff5d6b7cb0e09cb7d62ed48

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe

      Filesize

      1KB

      MD5

      b3ae7487667beac7edd4a7d0c19e61ba

      SHA1

      7daca93828c48c37bf2414f20ca5ccaf04b56f7d

      SHA256

      2ab9d2edb0855a80276c2ed821f9427d8ff87ee23cde0211d96b55faacfe1b8c

      SHA512

      1ce18cdbbb7fe830c3c78b41eb7862f15a919a1187846ea3f25f0071a26018a1600e78228aed1382387006e3b5e213bad5cdf8d214a7252418d1cf03c8ea3537

    • memory/2304-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2304-59-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/2304-58-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/2304-61-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/2304-60-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/2304-73-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB

    • memory/2304-72-0x0000000000480000-0x0000000000580000-memory.dmp

      Filesize

      1024KB