Overview

overview

10

Static

static

1

mof-npd-ci...3.docx

windows7-x64

1

mof-npd-ci...3.docx

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2024 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mof-npd-circ20240103.docx

  • Size

    1.6MB

  • MD5

    8202209354ece5c53648c52bdbd064f0

  • SHA1

    683210af38ef15f1bacb67ddc42f085bee05cf35

  • SHA256

    89d4d85592bf0b5e8b55c2d62c9050bfa8c3017f9f497134dbacbb2a0f13a09e

  • SHA512

    df8d1aaf4798541f25797c2928db9c90f03f534f5a326d05e160ae4f293fd0abd68b5e4ac9468da7a6af82a5b6eb2a79395367b2cdb514b57c76e5bb958cb47a

  • SSDEEP

    49152:JJb+67s4Y+WJ9UhMQzTDdwPaQx3fNdK1HAgCclqDhDAy:/f2mhMQ3DEaG3eHAgCclgEy

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 5 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mof-npd-circ20240103.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3968
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3132
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1824
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1348
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1348-67-0x00007FF95C910000-0x00007FF95CBD9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1348-66-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1348-68-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1824-44-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1824-45-0x00007FF95C910000-0x00007FF95CBD9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1824-46-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3132-53-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3132-52-0x00007FF95C910000-0x00007FF95CBD9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3132-51-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3632-73-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3632-75-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3632-74-0x00007FF95C910000-0x00007FF95CBD9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3968-31-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3968-35-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3968-33-0x00007FF95C910000-0x00007FF95CBD9000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3968-34-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-32-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-18-0x00007FF91CF80000-0x00007FF91CF90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-16-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-4-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-5-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-6-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-7-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-8-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-10-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-14-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-15-0x00007FF91CF80000-0x00007FF91CF90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-0-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-3-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-17-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-58-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-59-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-60-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-11-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-13-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-12-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-9-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5076-2-0x00007FF91F090000-0x00007FF91F0A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5076-1-0x00007FF95F010000-0x00007FF95F205000-memory.dmp

    Filesize

    2.0MB

    Download