Overview

overview

10

Static

static

1

667f53c100...3a.doc

windows7-x64

10

667f53c100...3a.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    667f53c1003e7fe1bb14c04721893a3a.doc

  • Size

    72KB

  • MD5

    667f53c1003e7fe1bb14c04721893a3a

  • SHA1

    c379bd767de2ba8c1189808e006e3256c647662a

  • SHA256

    49025f29f934288c5757cb19b273447681a7f74b169dfee5fa3d204bfb664a0a

  • SHA512

    4f71b56f6859c2bcef4f4d7b76c38af8d2559eba6f3199e56e8e7f584934f3531c7fcc7ec755d6db14f676e378a499cd03276f04a09dd2e23a4a524420450656

  • SSDEEP

    1536:EYntJ1rHr11AQYyqGJHQYCDEtU6dLTR97c8KpeROJ6KrKSRKFG8xpdG8oYRZLgmw:zb1dxQYNtU6Zvc8KpeROJ6KrKSRKFG8G

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\667f53c1003e7fe1bb14c04721893a3a.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /s /c c:\\programdata\\index.hTA
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\index.hTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\index.hTA
      Filesize

      3KB

      MD5

      ee3ea82e681632eeb1b86bb2309fecde

      SHA1

      4ffa99969366a11e23b7cdedbbd673a5a0230a37

      SHA256

      443b02b1615e2dcc6daba16b8bad23efe2b0000436a98dc4a3f0af35e825fdb6

      SHA512

      07ffb009b45f1d6545f66bc9c7a56d72987bcd46b295afbb61f14be7bbf4f2068785bcc4ac46794778e17cbb203d9f450e2bc6a44cb2f47895422838d3536388

      Download Submit

    • memory/3380-19-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-22-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-7-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-9-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-8-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-5-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-10-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-12-0x00007FF7C5920000-0x00007FF7C5930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-11-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-13-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-2-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-1-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-14-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-15-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-17-0x00007FF7C5920000-0x00007FF7C5930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-4-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-6-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-21-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-20-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-18-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-16-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-0-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-36-0x000001760DFC0000-0x000001760EF90000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/3380-47-0x000001760DFC0000-0x000001760EF90000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/3380-3-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-59-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-60-0x000001760DFC0000-0x000001760EF90000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/3380-61-0x000001760DFC0000-0x000001760EF90000-memory.dmp

      Filesize

      15.8MB

      Download

    • memory/3380-85-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-86-0x00007FF807F70000-0x00007FF808165000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3380-84-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-83-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-82-0x00007FF7C7FF0000-0x00007FF7C8000000-memory.dmp

      Filesize

      64KB

      Download