Overview

overview

10

Static

static

1

a84b3dd5f7...b.docx

windows7-x64

7

a84b3dd5f7...b.docx

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 20:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a84b3dd5f7d29d8d257fdef0ede512ae09e6cd5be7681b9466a5c60f6f877c2b.docx

  • Size

    281KB

  • MD5

    3d9961991e7ae6ad2bae09c475a1bce8

  • SHA1

    69069ac1c9bdc97ff1d060d4fc9f42b91c25669b

  • SHA256

    a84b3dd5f7d29d8d257fdef0ede512ae09e6cd5be7681b9466a5c60f6f877c2b

  • SHA512

    7df0622f888a219c106bb90bf0e2d5ebbb293b65925173f2c483090a9f343f22d646f79e2a2f9329f54056ce6b40262f7082ba4d4cca1408229a4ea294217117

  • SSDEEP

    6144:0zpuMrC2oYig5CHsYRVvtfEgyMSis18NGi8PwbyxiE0/ypN4:01uMnbC1VCXwR8PIKZzN4

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a84b3dd5f7d29d8d257fdef0ede512ae09e6cd5be7681b9466a5c60f6f877c2b.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3384
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3084
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:4720
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:2104
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1496
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1644
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:1824
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:4872
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3464
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:2396
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:4244
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3424
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:232
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:3476
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
      2⤵
      • Process spawned unexpected child process
      PID:4184
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2268

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\B1DF4106-1391-42AC-A827-6EFF30188DFD
            Filesize

            397B

            MD5

            2f82426450332b558a61ae9ca551abd9

            SHA1

            abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d

            SHA256

            57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52

            SHA512

            dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\F5B1A0C6-5C35-4AD5-A616-9E22CA0BC067
            Filesize

            1KB

            MD5

            85ad173999ed440af6120f3b4fd436fa

            SHA1

            eebe3bae40b0c82db581b905e2a4c4a90055c9b3

            SHA256

            2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165

            SHA512

            3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\93EAFF48.rtf
            Filesize

            8B

            MD5

            43d35b5b20f491be219ab2eaa172ec55

            SHA1

            1327f20512762a533c22fe181be3fcdd29ab76fe

            SHA256

            1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a

            SHA512

            a721f07b2aa9c5d723a4b11575a602e94a7973278e62bcb5b54d4a48b5adf1bbe3945e5250dd0ccdd8b1b683b864f8c8b98b7c160118ed84846de085eb1d3666

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_10ed\AC\Temp\FL67E2.tmp
            Filesize

            50B

            MD5

            a471d39c02ee8428702b468c843c62e3

            SHA1

            91e6f53c4dce4d7822f120da20a75113e5a7dced

            SHA256

            0c9a8ce9516edb686faf2bee4bd9dc3285207031fe5f2f742accf4a525518d8e

            SHA512

            806dd530ce299b765554bb6ae827506d63b9d8a24294df4e827ca8b808894c2b8845009239f80282f522177de483d95099e74ef797e6f3b15a2b54f92dffc03b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TCDF203.tmp\iso690.xsl
            Filesize

            263KB

            MD5

            ff0e07eff1333cdf9fc2523d323dd654

            SHA1

            77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

            SHA256

            3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

            SHA512

            b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Filesize

            289B

            MD5

            9f42270666472c52b3a44669a589aab2

            SHA1

            de532d1f380b177e091e949421efecebd9d7b9db

            SHA256

            d7a25c55a732e8454abc1cc1d37a639ab9b99a04f12e0bdeede300bdee2030ff

            SHA512

            96d6fcd16afbfcab206edd22cf31cbce1d826a6ce5381207aec5620deae1c7b3541efe80544613870ef06551f2b7362ba15fcdb93141ec3177542b0005104749

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
            Filesize

            12B

            MD5

            f6f801e5b0502f5e803ed826dd37ae44

            SHA1

            273e87aa518397186653443c0c3e81d574361708

            SHA256

            e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1

            SHA512

            8fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
            Filesize

            1KB

            MD5

            04ed537b830a03f2af4f7f940a3f7ccf

            SHA1

            f5050339cf6344f53bbbf1c820e55e54d3120b88

            SHA256

            d9043f16dfe3f89bd686fdc3fd65ee2bf2bb85e3a82836e32ed29a46bbed13e4

            SHA512

            58a8fa229876f3ad1f6bda9d87643c0d03fa36de4c9574988086a2a93360f988b48421051b89c8c5c643eebf06e8424a881ab07da64841b91332a95f94d0a163

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
            Filesize

            3KB

            MD5

            0eb25d8d5cbfb89a49a23d65d5503410

            SHA1

            81827b83b2479c09b5e4084f6e7497910b1b2487

            SHA256

            f17b7a4b15f221c1e394fa957e381987e6486279f300aaac5fd42924725d4644

            SHA512

            e0bb46f4386099971e98f23051c2616dfa0ed56c46520da83cd11efa1ee5ecb7b4f2a3d46ec7964b9bc6d90d3ce6a681e3e4d3f97a14481de618bc10448d004a

            Download Submit

          • C:\Users\Admin\Desktop\~WRD0000.tmp
            Filesize

            324KB

            MD5

            945484c112a8efcfbffd167b4ac803ae

            SHA1

            686c648517ec8e80ba915ca141d79f257291b1f6

            SHA256

            eda7e722b67ba020ee2efed066c6a25c0377eaa630f2015d67301dd6fa62bec9

            SHA512

            b57d14262ed857666d8af869ec4d8c77e6032c4d0f3b075dda0b5f8dfdd38b02f3c342b10cce1884ebfce0814456fb2a09706a40aba918ebd87d0f95e44c5b43

            Download Submit

          • memory/1556-9-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-121-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-1-0x00007FFA65DAD000-0x00007FFA65DAE000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1556-3-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-6-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-5-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-10-0x00007FFA23960000-0x00007FFA23970000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-7-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-4-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-8-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-0-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-11-0x00007FFA23960000-0x00007FFA23970000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1556-122-0x00007FFA65DAD000-0x00007FFA65DAE000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1556-123-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-124-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1556-2-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3384-28-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3384-27-0x00007FFA65D10000-0x00007FFA65F05000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/3384-20-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3384-18-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3384-19-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3384-17-0x00007FFA25D90000-0x00007FFA25DA0000-memory.dmp

            Filesize

            64KB

            Download