Overview

overview

7

Static

static

3

WindowsCodecs.dll

windows7-x64

4

WindowsCodecs.dll

windows10-2004-x64

7

calc.cmd

windows7-x64

7

calc.cmd

windows10-2004-x64

7

war.zip

windows7-x64

1

war.zip

windows10-2004-x64

1

war.docx

windows7-x64

4

war.docx

windows10-2004-x64

1

war ... .exe

windows7-x64

7

war ... .exe

windows10-2004-x64

7

war.docx

windows7-x64

4

war.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    300s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 22:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    war .exe

  • Size

    897KB

  • MD5

    10e4a1d2132ccb5c6759f038cdb6f3c9

  • SHA1

    42d36eeb2140441b48287b7cd30b38105986d68f

  • SHA256

    c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

  • SHA512

    9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

  • SSDEEP

    12288:MK8SOR3VRbImnDKxohj+5Q/oln46ucaOfRr5AWHeGL7GOK:MKm3MgDKGhC5GYLuca6LDod

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\war .exe
    "C:\Users\Admin\AppData\Local\Temp\war .exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c calc.cmd
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\System32\cmd.exe
          cmd /c ""C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:2720
            • C:\Windows\system32\timeout.exe
              timeout 300
              5⤵
              • Delays execution with timeout.exe
              PID:2560
            • C:\Windows\system32\taskkill.exe
              taskkill /im msedge.exe /f
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1744
        • C:\Windows\system32\attrib.exe
          attrib -h -r /s
          3⤵
          • Views/modifies file attributes
          PID:1476
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\war.docx"
          3⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\splwow64.exe
            C:\Windows\splwow64.exe 12288
            4⤵
              PID:2136
          • C:\Windows\system32\taskkill.exe
            taskkill /F /IM "war .EXE"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat
        Filesize

        574B

        MD5

        1c28e4650b89c53b1bfbaa681df69b6e

        SHA1

        4a35b98da5127ee907cd861089a67ee921f001d9

        SHA256

        f772458b163fdf1a1a22fceedfa822174f7ba622e71347473bf543ee617c9150

        SHA512

        85483b4f8b274d1b3f498aa94b51b5d1cd3b4644d3d1e43c22d74b496fbaf98d25c694888d7e72f498031f22f8c44c82377a6b3fdc5bca8c6f895172d532d3d0

        Download Submit

      • C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs
        Filesize

        130B

        MD5

        9db9550d272e9aeac7d7f4e0e4992e49

        SHA1

        a64f1d2de1105a1c231db36e35b5aa49b5d4a67f

        SHA256

        dea3e44a690518ac8661d541ce6420ad62c0675ff1f048f96d3914238c05729f

        SHA512

        fa6c0564cad085039a58f646ec26ea2a7e577e833ece5219b5e62ccb1effab013bf690fbe6fc032a3e55e7525cffe1476b607b173a5636f3ad27cb8891252318

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        e90b39f315d0aa0384c4b2e9db43cf76

        SHA1

        b66bc92646da50a72d1042dacdc162a389fcca9b

        SHA256

        8feba9b01f0f783301844e4d2c4a9a06ba452e2db581e15c8687677692b917ae

        SHA512

        d6473a4ddd6a1f7ccfa04d87738f88ecb39d712d748d313bcaa0085187e80532a1ee2aba42887521dfaeed2612578fd55d936b5bc1c453c7a901a4b5bc0cd39a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • memory/2556-39-0x000000002F931000-0x000000002F932000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2556-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2556-41-0x0000000070E0D000-0x0000000070E18000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2556-70-0x0000000070E0D000-0x0000000070E18000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2556-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download