Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 09:57

General

  • Target

    221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm

  • Size

    1.4MB

  • MD5

    13814a190f61b36aff24d6aa1de56fe2

  • SHA1

    08fd3f4cdcb6e4c3cb28935c41781e5fe84bf0c6

  • SHA256

    221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292

  • SHA512

    7010c2168caebc9d01d0cf0113dbb92f0c935c619db5771fffe46b2a72bf249015fb64d672b368d61e046b52a90b67e3a75e14948fd64b66caa00aff3900aed5

  • SSDEEP

    24576:8rlNSREIjCl771rVRpKaPwV8kaUMkj7kWk7xuhai1oM54t9OwdeLx:8rlNSRsFhVRpdgJapgk9qaSl52O51

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm"
    1⤵
    • Drops startup file
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2520

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1555846B.jpeg

            Filesize

            99KB

            MD5

            b391a3e7c08c8c9cedb5f437e122b859

            SHA1

            094623500ca4be05995617924c4dbc097847d1ac

            SHA256

            c610b8ae528c38bd52e328c4ec644efe27a630318b0858a0ebdb3828a0dad5cf

            SHA512

            22c98f9658cf6d675f86f110eca237bc4999891e6401b32b020884847cda88eed75310d7d36a1c6aff41f014c57e85564b23f024fc28886118639946aa257350

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD66CF18.wmf

            Filesize

            490B

            MD5

            f83a88b2b0e12b7ac85be9f154acdc30

            SHA1

            07a2105bd8ec45ac21e0a73316309d6a72964a18

            SHA256

            79ce6d4c85c2ca55fee05bbe55fdd2b891976745d67b6a1c09cc9a28c6cfe736

            SHA512

            9af159616acd290532669cea4a91dd6f2939e518072d6a3eedcd9becbd234e9e210ca03c4b0005b62aef406a60eb4f88f01b864c53c950fcb4f6313cc92be4ed

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            aaf47ed91c021351f8eda1e94c96bcde

            SHA1

            d468697e09d5a068e708c172f0981d3a27524cec

            SHA256

            aa21710033438dff70b23cd0472976d17d18a5656e0ad1f900246fd4339e55c0

            SHA512

            2491475260a738ef360cca654945b337ba8b378605fc815d72ea91c618e293d7c77ab002d8027f79bb195118fa065ad7bfc907a931efce5be7606861563da067

          • memory/1684-20-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-29-0x0000000005900000-0x0000000005A00000-memory.dmp

            Filesize

            1024KB

          • memory/1684-18-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-19-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-21-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-0-0x000000002F9F1000-0x000000002F9F2000-memory.dmp

            Filesize

            4KB

          • memory/1684-28-0x000000007178D000-0x0000000071798000-memory.dmp

            Filesize

            44KB

          • memory/1684-11-0x0000000005900000-0x0000000005A00000-memory.dmp

            Filesize

            1024KB

          • memory/1684-30-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-31-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-34-0x00000000005A0000-0x00000000006A0000-memory.dmp

            Filesize

            1024KB

          • memory/1684-35-0x0000000005140000-0x0000000005240000-memory.dmp

            Filesize

            1024KB

          • memory/1684-2-0x000000007178D000-0x0000000071798000-memory.dmp

            Filesize

            44KB

          • memory/1684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1684-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB