732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f

Resubmissions

30/09/2023, 07:51

230930-jpwaqsbc35 10

29/09/2023, 22:10

230929-13rm5sgc42 10

29/09/2023, 21:44

230929-1lmymagb76 10

Analysis

max time kernel
593s
max time network
569s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2023, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nicht bestätigt 788413.doc
Size

2.1MB
MD5

d7519b822434fb89fb3643bc2f450e23
SHA1

4fcf10a8fe9db80c3eaf172636a602f95b64b0fc
SHA256

732cfacaafe15f55c177d929eeb4b129dc5a44ce04c8d6d83da236d74c50979f
SHA512

d8b2e5eb888f3ca464e56aebcd6e4eab2b678739663aba90745e6d244a36a7e4e622afaa11f5a0a6effd5991cf26e37e4775837ff97c415ad5feee2969640e95
SSDEEP

12288:t+xefqnAWcv37wHxULygl0kPf5h2BSoPy+OnwGcOuU4N5:oAqnAHTwHK+g00Cy+OnSOz4r

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4132	4708	cmd.exe	9

Executes dropped EXE 1 IoCs

pid	Process
496	chats.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
468	schtasks.exe
1528	schtasks.exe
3400	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4708	WINWORD.EXE
4708	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4724	cscript.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4708	WINWORD.EXE
4708	WINWORD.EXE
4708	WINWORD.EXE
4708	WINWORD.EXE
4708	WINWORD.EXE
4708	WINWORD.EXE
4708	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4132	4708	WINWORD.EXE	85
PID 4708 wrote to memory of 4132	4708	WINWORD.EXE	85
PID 4132 wrote to memory of 1528	4132	cmd.exe	87
PID 4132 wrote to memory of 1528	4132	cmd.exe	87
PID 4132 wrote to memory of 3400	4132	cmd.exe	88
PID 4132 wrote to memory of 3400	4132	cmd.exe	88
PID 4132 wrote to memory of 468	4132	cmd.exe	89
PID 4132 wrote to memory of 468	4132	cmd.exe	89
PID 3392 wrote to memory of 4724	3392	cmd.exe	112
PID 3392 wrote to memory of 4724	3392	cmd.exe	112
PID 4992 wrote to memory of 1056	4992	cmd.exe	118
PID 4992 wrote to memory of 1056	4992	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Nicht bestätigt 788413.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\rtwitoghbklj.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 4 /f /tn rtret /tr "C:\Users\Public\fghsd.bat"
    3⤵
    - Creates scheduled task(s)
    PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 6 /f /tn sgsg /tr "C:\Users\Public\Pictures\oned.bat"
    3⤵
    - Creates scheduled task(s)
    PID:3400
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 8 /f /tn jhkff /tr "C:\Users\Public\chats\chats.exe"
    3⤵
    - Creates scheduled task(s)
    PID:468

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\system32\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:4724

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\Pictures\oned.bat"
1⤵
PID:2704

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Public\fghsd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\system32\cscript.exe
  cscript //nologo "C:\Users\Admin\AppData\Local\Temp\_.vbs"
  2⤵
  PID:1056

C:\Users\Public\chats\chats.exe
C:\Users\Public\chats\chats.exe
1⤵
- Executes dropped EXE
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
374B

MD5
f7527f42289d19e38d328c8b9bf6c3c1

SHA1
11f79451278295174fc55e411ce43ae34a96a08e

SHA256
6b521ad07453a6c79a87e855c44861209f9ae687bb99f480e19d28b03dcfd9ac

SHA512
e80b3f93e3cca4352bb7c85b58c4486a331033531d9b83e3df35cd9ed2a7aef25eaa2b843f8f83b48d639fc9ea04608c0dcdf15b0a678cf0e4acb3c110dee82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_.vbs

Filesize
293B

MD5
5c204cd90cd0fc8e06ae478a6060f8e8

SHA1
6c8d3f828b5457ab20d78bc6f6fd768e2b318caa

SHA256
9c325f4c822346e33240a3dcf3a624a692ede0cd552b4374d0eb61a9be571012

SHA512
76ab29d00585571285905428428ab13e1cffb72a49f92538eed8a62399b33238313f186084c300a9986887f5395d3b257f6e6ca3929eb91360726240aa37afd1

Download Submit
C:\Users\Public\chats

Filesize
10KB

MD5
5e4ef26e46869b1cfa9b7f803eed5b33

SHA1
26d00ed8633f7ce0ea433b29a88f3602e38b7b0f

SHA256
2ab4d420f543103c1f0188445a3a47eaa77817514573cb07cb8810903ae1f67d

SHA512
7d2b36ac7f982b2885577d4c0d7fc467959bed68a07667b073fbf0bb072fd810099745567afa4e7a41bd1f0ce5a61efbff082173212542b8a38762faa4bf988e

Download Submit
C:\Users\Public\chats\chats.exe

Filesize
21KB

MD5
2cacf99569c85091ea987a02dc1e6bec

SHA1
b7bf707938cc0cef3d3e24be0c8748ee699beb15

SHA256
40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

SHA512
38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

Download Submit
C:\Users\Public\chats\chats.exe

Filesize
21KB

MD5
2cacf99569c85091ea987a02dc1e6bec

SHA1
b7bf707938cc0cef3d3e24be0c8748ee699beb15

SHA256
40e43aac9888c433d796e106c03846f48a1422d0950f27e0a2b793261e9f9e08

SHA512
38d2397b71b83c1f5eb2453fa6a6b3c7457671835fef13d8c92e6c1ac5fd1677682f0a7219bf9ddf922891caf0021a680fcd6ac8dd03116acd149710430c5a02

Download Submit
C:\Users\Public\fghsd.bat

Filesize
712B

MD5
36b06d73347fe0da8177bd212e2b3f77

SHA1
f1fc033763b931a729b9da3eb29a0724fd3eb6b9

SHA256
a2f68aacf94a11678abd24039f1a26c65c257c26ac7c31c87b442fbd7f6583d9

SHA512
c2f90456644fd136c7ed33e83b9501d4c0323e294427b942a1bd078067be63ff3c5b3bc3c99f253b30d3ff579b64ef1699e3684612e9a4f4880e4a806f65c937

Download Submit
C:\Users\Public\rtwitoghbklj.bat

Filesize
480B

MD5
2981447b673ed84cf8a20457f175ff52

SHA1
f92a9f28c9da1d09a8332d68287a74cd7d3a2538

SHA256
f9459c9065454839cd1306c2e7759513bc5d204eb9a8095f5d49bd88654d8309

SHA512
2ac7562bbf63d2befc037c02a6bd89d1d76e7df28004b151d7d6c4d61cfa0347a21879995b797f40da20da1ce763147cf18864e0a90906fbb71b74d190f8193b

Download Submit
memory/496-124-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4708-16-0x00007FFF44B60000-0x00007FFF44B70000-memory.dmp

Filesize
64KB

Download
memory/4708-35-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-7-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-8-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-9-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-10-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-11-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-12-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-13-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-15-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-14-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-17-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-18-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-20-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-21-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-19-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-3-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-22-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-6-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-4-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-23-0x00007FFF44B60000-0x00007FFF44B70000-memory.dmp

Filesize
64KB

Download
memory/4708-5-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-47-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-51-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-58-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-59-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-60-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-62-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-68-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-69-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-70-0x000002567A160000-0x000002567B130000-memory.dmp

Filesize
15.8MB

Download
memory/4708-87-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-89-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-90-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-88-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-2-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-0-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-1-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-92-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-91-0x00007FFF47050000-0x00007FFF47060000-memory.dmp

Filesize
64KB

Download
memory/4708-94-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download
memory/4708-93-0x00007FFF86FD0000-0x00007FFF871C5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads