Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 02:20

General

  • Target

    bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc

  • Size

    243KB

  • MD5

    c7155ee36a292f7fd3ec128a5386bad3

  • SHA1

    d2ebba5249076fdb49f5a70d8391882694478849

  • SHA256

    bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea

  • SHA512

    bc6c1e4c3c0588f98fc1ebea36ef1d3f5f52c13c8f039d793204be91d4ccd725693c6093ca3cbd3cbf13bf8c775f784ef608b1424a19b6b12f9e606eb8fe6436

  • SSDEEP

    6144:Z2hxiaIlxQ1iXaF5H/FtDBoccgbb5UUELzt:ZsDIlxgiXabRpzEL

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1788
      • C:\Windows\SysWOW64\Regsvr32.exe
        "Regsvr32.exe" /s "C:/Users/Admin/AppData/Local/Temp/app.pln"
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        PID:2072

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\app.pln

            Filesize

            2.6MB

            MD5

            86e9ce5acb23e1ce8fbd63ac2bcdae2e

            SHA1

            a87d17f6008511b758e7e196ad0c48ef0e2c8a5e

            SHA256

            f4e45d8de105c1d73091fc6d93106c5eef287f0cb3d97cdc6837f8f6d79ea447

            SHA512

            36fb7daa1434c2feaf89031b4cd08cca99e2dd4b3831f0b8958b15d856d892e6bdb3374cf4d3ab7c2ba6c36a27c622bdf7bb6f53d71fb2af3161497deea52477

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            5d542788279c899923bcfc9533bc5799

            SHA1

            4667e2d10eb0fe502b04637232d06515be5be1b3

            SHA256

            44759cce44242338d8070034cdebe24e179d324580e3c2e5ed3f0408d959e693

            SHA512

            1506c66ffe5f87586d69030517d93e935f14cff7837d0ecf934adc86e467b74052de904d80a8b55edb4ad74f02f78d44036aeedeb83a4cd48df031d2edb7bdac

          • memory/2072-55-0x0000000010000000-0x000000001029B000-memory.dmp

            Filesize

            2.6MB

          • memory/2072-46-0x0000000000C70000-0x0000000000E09000-memory.dmp

            Filesize

            1.6MB

          • memory/2072-45-0x0000000002270000-0x0000000002406000-memory.dmp

            Filesize

            1.6MB

          • memory/2072-35-0x0000000010000000-0x000000001029B000-memory.dmp

            Filesize

            2.6MB

          • memory/2492-12-0x00000000004D0000-0x00000000005D0000-memory.dmp

            Filesize

            1024KB

          • memory/2492-13-0x00000000004D0000-0x00000000005D0000-memory.dmp

            Filesize

            1024KB

          • memory/2492-14-0x00000000004D0000-0x00000000005D0000-memory.dmp

            Filesize

            1024KB

          • memory/2492-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

            Filesize

            4KB

          • memory/2492-11-0x00000000714BD000-0x00000000714C8000-memory.dmp

            Filesize

            44KB

          • memory/2492-2-0x00000000714BD000-0x00000000714C8000-memory.dmp

            Filesize

            44KB

          • memory/2492-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2492-53-0x00000000714BD000-0x00000000714C8000-memory.dmp

            Filesize

            44KB

          • memory/2492-54-0x00000000004D0000-0x00000000005D0000-memory.dmp

            Filesize

            1024KB

          • memory/2492-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB