Analysis
-
max time kernel
300s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
12-07-2023 11:10
Static task
static1
Behavioral task
behavioral1
Sample
sysrar.doc
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
sysrar.doc
Resource
win10v2004-20230703-en
General
-
Target
sysrar.doc
-
Size
36KB
-
MD5
7f447856ffce83300397a38af2fafb09
-
SHA1
308af1464252d8a3274d1d5ee3fde0decf321728
-
SHA256
903eda2289b5fccc26aaf44a2b7ffbcf1b48ba3b81f7095698a7a42f208c7984
-
SHA512
c9f79f23ebd0abab989678fa5b2ab94f444b536001be4d687e4360631d4a7f3938d20fbc17d1995a8b90599b004fd77e40b73de5887f3eb7cc1b14e79d9a3809
-
SSDEEP
384:JDU1iSX3mSBqEIXxsjkev1a8MD32suJcXNBB3Su0jijm:5uqzBs4evozD32JJcXLEud
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1784 2304 WScript.exe 28 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe WINWORD.EXE -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\F: WScript.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\Z: WScript.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2304 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2304 WINWORD.EXE 2304 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2332 2304 WINWORD.EXE 29 PID 2304 wrote to memory of 2332 2304 WINWORD.EXE 29 PID 2304 wrote to memory of 2332 2304 WINWORD.EXE 29 PID 2304 wrote to memory of 2332 2304 WINWORD.EXE 29 PID 2304 wrote to memory of 1784 2304 WINWORD.EXE 30 PID 2304 wrote to memory of 1784 2304 WINWORD.EXE 30 PID 2304 wrote to memory of 1784 2304 WINWORD.EXE 30 PID 2304 wrote to memory of 1784 2304 WINWORD.EXE 30
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sysrar.doc"1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2332
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.vbe"2⤵
- Process spawned unexpected child process
- Enumerates connected drives
PID:1784
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75B
MD57a5a68d0e91e1b577a3e90bb9a36d162
SHA138cb36650e5e4a70b217cf11c14d7ed27dfe4703
SHA2561f7afb73ea91c8cca5754b4c0d88fde275de2b4207766dd81d87d1ec5adf2c1e
SHA5124da8164951f4374690d2d53fd6df865ecc355e1b9a9f3d5ec03b393fec6f56d29ddc691ce4c24f79db49b0ef0c1bfa83bb918ca22ff5d6b7cb0e09cb7d62ed48
-
Filesize
1KB
MD5b3ae7487667beac7edd4a7d0c19e61ba
SHA17daca93828c48c37bf2414f20ca5ccaf04b56f7d
SHA2562ab9d2edb0855a80276c2ed821f9427d8ff87ee23cde0211d96b55faacfe1b8c
SHA5121ce18cdbbb7fe830c3c78b41eb7862f15a919a1187846ea3f25f0071a26018a1600e78228aed1382387006e3b5e213bad5cdf8d214a7252418d1cf03c8ea3537