Analysis

  • max time kernel
    54s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 03:31

General

  • Target

    e6f14159a58d5f479fccfcd91eaad285f93d0f35e872ea4deadf67c4f252df28.docm

  • Size

    83KB

  • MD5

    62a55031576a80e9eee504512c043634

  • SHA1

    7f55a58324f6da14bfbaf9d07d88587c7146a0c3

  • SHA256

    e6f14159a58d5f479fccfcd91eaad285f93d0f35e872ea4deadf67c4f252df28

  • SHA512

    5fc664ddaacb6dc99d713fe042a0a67a90b7b2e82f1eae7e9c05de8288656bdaba8d067ed9403a935a137b78aa58d9af8995436b04ec83f97810bc3b7651697f

  • SSDEEP

    1536:Ex+WqQuctgd6mVfv/wnmAgDO+KJxAQN+DHC9S3AGcf+UXZb8ayHZOiqOXCla:q+X8YVn/7dKJW2n92A1+WYoLOCE

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.138.217:4444

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e6f14159a58d5f479fccfcd91eaad285f93d0f35e872ea4deadf67c4f252df28.docm"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\radA1D4E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\radA1D4E.tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:2668
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2836

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\radA1D4E.tmp.exe
      Filesize

      72KB

      MD5

      37a56fa4684982db133e75fa6dc315b2

      SHA1

      b0275183285bf582c3ce74225a5cb8c8ecead410

      SHA256

      691d7fac9316038538dcc27fdf137be11379ee06918f9f52d23dc02a1568d850

      SHA512

      4a68647ba96299ab0d828c5bb195064eb74cb09d46e4ff9261c231129de6799998b37f97292c6b63baea1686df823a4e645151a46263dfeed23369e036c0af1d

    • memory/2668-35-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

    • memory/3004-6-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-16-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-14-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-9-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-8-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-7-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-0-0x000000002FCC1000-0x000000002FCC2000-memory.dmp
      Filesize

      4KB

    • memory/3004-10-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-15-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-25-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-20-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB

    • memory/3004-2-0x000000007096D000-0x0000000070978000-memory.dmp
      Filesize

      44KB

    • memory/3004-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/3004-41-0x000000007096D000-0x0000000070978000-memory.dmp
      Filesize

      44KB

    • memory/3004-42-0x0000000000330000-0x0000000000430000-memory.dmp
      Filesize

      1024KB