Overview

overview

10

Static

static

10

5fbdc2fd7b...0.docx

windows7-x64

7

5fbdc2fd7b...0.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    127s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2023 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fbdc2fd7b9fcf00d75d57db95a45780.docx

  • Size

    10KB

  • MD5

    5fbdc2fd7b9fcf00d75d57db95a45780

  • SHA1

    b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4

  • SHA256

    973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3

  • SHA512

    e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z

Score
7/10

Malware Config

Signatures

  • Abuses OpenXML format to download file from external location 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5fbdc2fd7b9fcf00d75d57db95a45780.docx"
    1⤵
    • Abuses OpenXML format to download file from external location
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2968
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2972
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:600
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.0.2049809929\878658283" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5002c095-a57f-4b8f-b0d5-a934a7b43c94} 600 "\\.\pipe\gecko-crash-server-pipe.600" 1296 100e5e58 gpu
          3⤵
            PID:2688
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.1.181158236\191066023" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21019 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a42050b7-018d-425a-a04e-fe351d24d117} 600 "\\.\pipe\gecko-crash-server-pipe.600" 1504 d70d58 socket
            3⤵
            • Checks processor information in registry
            PID:1052
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.2.466977141\1067570259" -childID 1 -isForBrowser -prefsHandle 2100 -prefMapHandle 2096 -prefsLen 21057 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f2fc1ee-d77f-4427-9281-eaaa26da1c4d} 600 "\\.\pipe\gecko-crash-server-pipe.600" 2112 1a195058 tab
            3⤵
              PID:1692
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.3.1008639670\872024992" -childID 2 -isForBrowser -prefsHandle 576 -prefMapHandle 616 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bb0ffbb-6eae-4d22-a1d5-e84c53ede266} 600 "\\.\pipe\gecko-crash-server-pipe.600" 2484 d71358 tab
              3⤵
                PID:556
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.4.242900123\1717123146" -childID 3 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26482 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e1de6fe-74be-4b48-a05b-6b737a3c2a89} 600 "\\.\pipe\gecko-crash-server-pipe.600" 2952 d62558 tab
                3⤵
                  PID:2084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.5.366690608\1585917144" -childID 4 -isForBrowser -prefsHandle 3736 -prefMapHandle 3732 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96a168fc-5a9e-4e94-9428-08c1fe09ab05} 600 "\\.\pipe\gecko-crash-server-pipe.600" 3760 1ea1df58 tab
                  3⤵
                    PID:1572
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.6.1022302233\325340996" -childID 5 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22ef64c9-a185-4450-b320-83c2bbfa8e4f} 600 "\\.\pipe\gecko-crash-server-pipe.600" 3844 1ea1ee58 tab
                    3⤵
                      PID:1592
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="600.7.1175155760\1677036095" -childID 6 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26541 -prefMapSize 232675 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fdca990-274d-42a9-b3d0-0468025bb94c} 600 "\\.\pipe\gecko-crash-server-pipe.600" 4036 1ea1e858 tab
                      3⤵
                        PID:2676

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  2
                  T1012

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{C5AEA3AA-29D7-4422-9954-9D5E1667D265}.FSD
                    Filesize

                    128KB

                    MD5

                    f90c52444263ed84c659eabf878e7da2

                    SHA1

                    f8c11aa4204261d1b9a84d83654366fc614360dc

                    SHA256

                    1a4c061bf289733de7054a1541aefce93d282a688a53b45049d43b22ead21f52

                    SHA512

                    2d7c68ed7078729e87985bc982d627e5ef97b495350e3c25c85bdb4b0050947aef4bf5be2d7cc3857772a2aeecd71aad107229500c25cb8135f9f7298ba18dc3

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
                    Filesize

                    128KB

                    MD5

                    68fde78f186f33e0addf6f72381a3886

                    SHA1

                    819dc6745aa093db293757287e6cfa6e338afda6

                    SHA256

                    0853922d64f52479c99a4c4b966e6ce4fbc241f892b861109f6e9d21d0429369

                    SHA512

                    027e6d563b47e49965461bc6539067b4964b20b08cdcd6eedb28c2ba822b9ec8d32ae0dd405a11ea514e1e220270f80fe06bd623745166c683d91a7b98f795e1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{28FC7BB4-71CD-4107-AAB3-C4E28FC5CBAA}.FSD
                    Filesize

                    128KB

                    MD5

                    cd0771797aa3bba304e51d5c8429e9ba

                    SHA1

                    36fe648f02c3b080d22642391def34989bc2b9af

                    SHA256

                    894a670986f819e201332f61884b68998e40cf4ab0a99f95ff49817c31a2d5bf

                    SHA512

                    32488ae8d4977ba410a943623dea2c9674f742c62fdd9fef9f9cc06886f3cac56fe1c3128b607a92e2a787aa6f4de761e71c45696b42b161133ccaa7813c7c39

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\k2ysa5kb.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    22KB

                    MD5

                    46932d6af8a5f68040fcbb159b994b8f

                    SHA1

                    2157c5e1c88a97befc98b1adb700d493dedda9ae

                    SHA256

                    1d39bd58b11e65de86762e0dec0689887a14f6a9c7d3f4dfcc47baa2efcc50eb

                    SHA512

                    1f304422f83531ef3f69d98c16f540935601806e63b5d7a884ead13f6adfdc44b4d3458920ac61c30f025199d625ef4b0a3f12d45205f0bca085721ada5866d0

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\{A2643D6E-F91E-466F-9930-73D539CD06C0}
                    Filesize

                    128KB

                    MD5

                    fbaa7df4b197b89321b15eb6752ff436

                    SHA1

                    45a5634436f950432c26847c191c2a63e21ca3b1

                    SHA256

                    81f941f8cd7cd7728d76864966348ec2550e9d2ba681fc865b55945087e15d54

                    SHA512

                    74a7b680b7e5e606adfb8886be1f5b34a42184d742a1552ca831ddb03f60748fb8d5e080b93fb794089555d21f3e8fa65dec0e0f7d9cc5c0f4471c6c19c80f01

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k2ysa5kb.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    c63dd9dfebe2d1044b5ac675a8c4ff96

                    SHA1

                    92a5b19e73ad80fe6eea2e7feeb5e8605e38274b

                    SHA256

                    22180a0ec36c181cf1319fc50525e56111db9a086d51ba5cc4384eca1e5e1b48

                    SHA512

                    9dfb59fed59dbf0bb98173428e01cae1acccdea59aa20430630ddb65c8107c59cfc0cec82d1a02055daba2609dc01eae9482c5ac1af0e77272bc35696b257d3b

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k2ysa5kb.default-release\sessionstore.jsonlz4
                    Filesize

                    831B

                    MD5

                    a4f292c80f89d14c28c0e66727b012e5

                    SHA1

                    409ea3603fbae7956298754151e99b6847c09183

                    SHA256

                    872d8cf43be8da4b8a661e3a80aeba965c58d56eb15f4d0c5c8f59113204587e

                    SHA512

                    2fd335ced6f49f1bd6ec02d7c71e43cb788af5c7cf1631fef3427a48cf2db913163a9920309ab5d341fa8d1e384cd9dfb3c07483e891f5c592c7fa8a3bf9335d

                    Download Submit
                  • memory/2968-0-0x000000002F8E1000-0x000000002F8E2000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/2968-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/2968-2-0x00000000713BD000-0x00000000713C8000-memory.dmp
                    Filesize

                    44KB

                    Download
                  • memory/2968-62-0x00000000713BD000-0x00000000713C8000-memory.dmp
                    Filesize

                    44KB

                    Download