Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 14 views

    Threat Analysis Report: Hash Values File Details Environment

    Uploaded by

    todo nothing
    The document analyzes a file called SPIDER.doc and finds that it exhibits low level exploiting and scripting behaviors. It also hides, avoids detection and modifies system attributes. The analysis provides details on the processes and timeline of activities of the file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Threat Analysis Report: Hash Values File Details Environment

    Uploaded by

    todo nothing
    14 views25 pages
    The document analyzes a file called SPIDER.doc and finds that it exhibits low level exploiting and scripting behaviors. It also hides, avoids detection and modifies system attributes. The analysis provides details on the processes and timeline of activities of the file.

    Original Title

    6108735

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document analyzes a file called SPIDER.doc and finds that it exhibits low level exploiting and scripting behaviors. It also hides, avoids detection and modifies system attributes. The analysis provides details on the processes and timeline of activities of the file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    14 views25 pages

    Threat Analysis Report: Hash Values File Details Environment

    Uploaded by

    todo nothing
    The document analyzes a file called SPIDER.doc and finds that it exhibits low level exploiting and scripting behaviors. It also hides, avoids detection and modifies system attributes. The analysis provides details on the processes and timeline of activities of the file.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 25

    McAfee Advanced Threat Defense

       |  Threat Analysis Report

    File Name SPIDER.doc Threat Level ⬤ 5 - Very High

    Malware Name TYPE_TROJAN Engine GTI File Reputation

    File Submitted 2021-04-13 01:36:10 UTC Processing Time 154 seconds

    File Size 51,712 bytes Sandbox Replication 146 seconds

    Show More Hash Values File Details Environment

    MD5 Hash Identifier 5B24E7C884880A7ABDD53975AF2E565E

    SHA-1 Hash Identifier 62295E55C573B30847235B69837153CB109B267E

    SHA-256 Hash
    7D72F078EE28B94396B051CEC47E57B665A205C09D8772E8FD631CC9ABB7DE64
    Identifier

    Screenshots 19

    Hide hash values

    File Type F

    Hide file details

    Microsoft Windows 7 Professional Service Pack 1 (build 7601, version 6.1.7601), 64-bit

    Windows® Internet Explorer version: 8.0.7601.17514

    Microsoft Office version: 2007

    PDF Reader version: 11.0

    No Flash player installed

    Flash player plugin version: 22.0.0.209

    Platform Version 4.12.0.7

    Detection Package Version 4.12.0.201112

    Hide environment

    Behavior Classification

    Behavior Severity

     Exploiting, Shellcode ⬤ 2 - Low

    Detected scripting content embedded in the sample ⬤ 2 - Low

    ⬤ 1-
    Offile file contains VBA code
    Informational

     Hiding, Camouflage, Stealthiness, Detection and Removal Protection ⬤ 1 - Informational

    ⬤ 1-
    office file Spawns printer spooler
    Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

    ⬤ 1-
    Changed the protection attribute of the process
    Informational

     Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection ⬤ 1 - Informational

    Retrieved system information such as Processor Architecture,Number ⬤ 1-


    Processors,Processor Type Informational
    Processors,Processor Type Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

    ⬤ 1-
    Disabled attach/detach notifications from dynamic link library
    Informational

    ⬤ 1-
    Contained long sleep
    Informational

     Spreading ⬤ 1 - Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

     Persistence, Installation Boot Survival ⬤ 1 - Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

     Networking ⬤ 1 - Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

     Data spying, Sniffing, Keylogging, Ebanking Fraud ⬤ 1 - Informational

    ⬤ 1-
    Offile file contains VBA code
    Informational

    ⬤ 1-
    Contained long sleep
    Informational

    Processes Analyzed

    Name Reason Severity

    SPIDER.doc loaded by MATD Analyzer & dropped by SPIDER.doc ⬤ 2 - Low

    splwow64.exe executed by winword ⬤ Unverified

    Timeline Activity

    Processes Files Registry Operations Network Operations Multiple Operations

    Select Any Area to Zoom In

    SPIDER.doc

    s plwow64.exe

    0 6 12 18 24 30 36 42 48 54 60 66 72 78 84 90 96 102 108 114 120 126 132


    Offset in seconds

    Jump to Timeline Details

    Timeline Activity Details

    Time Offset Event Details

    Process Operations, Obtained the contents of the specified variable from the environment block of the
    Process Operations, Obtained the contents of the specified variable from the environment block of the
    00:00:000
    miscellaneous calling process

    00:00:000 Others Initialized a critical section object and set the spin count for the critical section

    File Operations,
    00:00:016 Retrieved the full path for the module
    miscellaneous

    File Operations,
    00:00:016 Obtained the path of the Windows system directory
    miscellaneous

    Process Operations, Changed the protection attribute of process address: 0x2f9d1634, new attribute:
    00:00:016
    miscellaneous Execute_Read

    Process Operations, Changed the protection attribute of process address: 0x2f9d1634, new attribute:
    00:00:016
    miscellaneous Execute_ReadWrite

    Process Operations, Retrieved information on a specific string in the current activation context
    00:00:016
    miscellaneous

    HKLM\Software\Microsoft\.NETFramework
    00:00:172 Registry Read
    UseLegacyV2RuntimeActivationPolicyDefaultValue

    File Operations,
    00:00:172 Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*
    miscellaneous

    HKLM\Software\Microsoft\.NETFramework
    00:00:172 Registry Read
    OnlyUseLatestCLR

    File Operations,
    00:00:172 Obtained a set of FAT file system attributes for a file or directory
    miscellaneous

    HKLM\Software\Microsoft\.NETFramework
    00:00:172 Registry Read
    InstallRoot

    00:00:172 Files Read C:\Windows\Microsoft.NET\Framework\

    00:00:172 Registry Opened HKLM\Software\Microsoft\.NETFramework

    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config


    Read
    00:00:172 Files Opened
    Normal

    C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll
    20000
    00:00:172 Files Opened 10000000

    C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll
    20000
    00:00:172 Files Opened
    10000000

    C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll
    20000
    00:00:172 Files Opened
    10000000

    C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll
    20000
    00:00:172 Files Opened
    10000000

    C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll
    20000
    00:00:172 Files Opened
    10000000

    C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll
    20000
    00:00:172 Files Opened
    10000000

    C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll
    20000
    00:00:172 Files Opened
    10000000
    00:00:172 Registry Opened HKCU\Software\Microsoft\.NETFramework

    00:00:188 Registry Opened HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

    00:00:188 Registry Opened HKLM\SOFTWARE\Microsoft\Fusion

    HKLM\SOFTWARE\Microsoft\Fusion
    00:00:188 Registry Read
    NoClientChecks

    00:00:188 Files Read C:\Windows\Microsoft.NET\Framework\v2.0.50727

    Registry Operations, Enumerated the values for an open registry key


    00:00:188
    miscellaneous

    00:00:281 Others Retrieved the current local date and time

    c:\windows\splwow64.exe
    00:00:328 Process Created c:\windows\splwow64.exe 12288

    Obtained the current system date and time in in Coordinated Universal Time (UTC)
    00:00:344 Others
    format

    File Operations,
    00:00:344 Retrieved the full path for the module
    miscellaneous

    00:00:344 Registry Opened HKLM\System\CurrentControlSet\Control\Print

    ffcea838
    00:00:344 Thread Created

    ffce6cd8

    00:00:344 Thread Created

    HKLM\System\CurrentControlSet\Control\Print
    00:00:344 Registry Read
    SplWOW64TimeOut

    ffceaa2c
    00:00:344 Thread Created

    00:00:344 Others Obtained information about an access token

    00:00:344 Others Initialized a critical section object and set the spin count for the critical section

    Converted a string-format security descriptor into a valid, functional security


    00:00:344 Others
    descriptor

    Process Operations,
    00:00:344 Enabled an application to supersede the top-level exception handler
    miscellaneous

    00:00:344 Signal Objects ffffffff

    Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
    00:00:344
    miscellaneous interval elapses

    Process Operations,
    00:00:344 Retrieved the Remote Desktop Services session
    miscellaneous

    Process Operations,
    00:00:344 Opened the access token associated with a process
    miscellaneous

    Process Operations,
    00:00:344 Opened the access token associated with a thread
    miscellaneous

    {529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
    00:00:422 Process Created

    {FA445657-9379-11D6-B41A-00065B83EE53}
    00:00:438 Process Created

    C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
    Write
    00:00:485 Files Created
    Hidden
    Files Created
    Hidden

    Process Operations,
    00:00:485 Initialized COM library for the current thread and set it in the concurrency mode
    miscellaneous

    {1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
    00:00:500 Process Created

    {0E5AAE11-A475-4C5B-AB00-C66DE400274E}
    00:00:750 Process Created

    {DFFACDC5-679F-4156-8947-C5C76BC0B67F}
    00:00:750 Process Created

    {88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}
    00:00:797 Process Created

    {88D969EF-F192-11D4-A65F-0040963251E5}
    00:00:828 Process Created

    C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc
    Write
    00:01:016 Files Created
    Hidden

    {33C53A50-F456-4884-B049-85FD643ECFED}
    00:01:281 Process Created

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\969ae5dd-c456-
    00:01:485 Files Deleted
    4286-9c17-cf55f0ac7213.LNK

    00:01:766 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\afkadfzmhi.LNK

    Process Operations,
    00:02:062 Obtained the identifier of the thread or process that created the specified window
    miscellaneous

    00:02:062 Others Retrieved information about a locale specified by a identifier

    File Operations,
    00:02:062 Obtained the current directory for the current process
    miscellaneous

    00:02:062 Registry Opened HKCR\Licenses

    00:02:078 Others Obtained the system metric or system configuration setting

    00:02:094 Registry Opened HKLM\SOFTWARE\Microsoft\VBA\Monitors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    CompileOnDemand

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    NotifyUserBeforeStateLoss

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    BreakOnServerErrors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    BreakOnAllErrors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    BackGroundCompile

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:02:109 Registry Read
    RequireDeclaration

    Enumerated registry keys


    00:02:109 Registry Read

    File Operations, Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or
    00:02:109
    miscellaneous network drive

    00:02:109 Registry Created HKCU\Software\Microsoft\VBA\6.0\Common


    00:02:109 Registry Opened HKCR\TypeLib

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409

    00:02:109 Registry Opened HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9

    00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0

    00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0

    00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32

    00:02:125 Registry Opened HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}

    00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}

    00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4

    00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0

    00:02:125 Registry Opened HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32

    File Operations,
    00:02:125 Searched a directory for the name: Normal
    miscellaneous

    00:02:141 Registry Opened HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}

    00:02:141 Process Created C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE

    00:02:625 Process Created C:\AFKADFZMHI\EXCEL.EXE

    00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0

    00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}

    00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0

    00:03:125 Registry Opened HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32

    00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0

    00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}

    00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0

    00:03:453 Registry Opened HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32

    Directories C:\Users\ADMINI~1\AppData\Local\Temp\VBE
    00:03:500
    Created/Opened

    00:03:500 Files Read Normal

    File Operations,
    00:03:500 Retrieved the path of the directory designated for temporary files
    miscellaneous

    65001f64
    00:04:203 Thread Created

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    SyntaxChecking

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    FullModuleView

    HKCU\Software\Microsoft\VBA\6.0\Common
    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    IndicatorBar

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read AutoValueTips2

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    EndProcLine

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    DragDropInEditor

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    AutoIndent

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    AutoQuickTips2

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:265 Registry Read
    AutoStatement2

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    OBGroupMembers

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    OBSearchHeight

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    IndicatorColors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    FontCharSet

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    TabWidth

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    FontHeight

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    FontFace

    00:04:281 Others Retrieved an integer from a key in a section of the Win.ini file

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    CodeForeColors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:281 Registry Read
    CodeBackColors

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    ShowToolTips

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    ShowGrid

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    SaveBeforeRun

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    AlignToGrid

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    MdiMaximized

    00:04:296 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:296 Registry Read
    GridWidth

    00:04:296 Registry Read HKCU\Software\Microsoft\VBA\6.0\Common


    GridHeight

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:313 Registry Read
    ReadOnlyMode

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:313 Registry Read
    BackgroundProjectLoad
    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:313 Registry Read
    UpgradeVBX

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:313 Registry Read
    CollapseWindows

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:328 Registry Read
    FolderView

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:343 Registry Read
    Tool

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:390 Registry Read
    PropertiesWindow

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:390 Registry Read
    Dock

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:390 Registry Read
    UI

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:406 Registry Read
    CtlsShowSelected

    00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\VBE\6.0\Addins

    00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls

    00:04:406 Registry Opened HKCU\Software\Microsoft\VBA\6.0\Common\Designers

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:406 Registry Read
    DsnShowSelected

    HKCU\Software\Microsoft\VBA\6.0\Common
    00:04:421 Registry Read
    MainWindow

    Obtained the current system date and time in in Coordinated Universal Time (UTC)
    00:04:438 Others
    format

    HKLM\Software\Microsoft\Windows\Help
    00:04:485 Registry Read
    VbLR6.chm

    HKLM\Software\Microsoft\Windows\HTML Help
    00:04:485 Registry Read
    VbLR6.chm

    00:04:485 Registry Opened HKLM\Software\Microsoft\Windows

    00:04:485 Registry Opened HKLM\Software\Microsoft\Windows\HTML Help

    00:04:485 Registry Opened HKLM\Software\Microsoft\Windows\Help

    {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}
    00:08:296 Process Created

    HKCU\Software\Microsoft\Shared Tools\Proofing
    02:11:953 Registry Created
    Tools\Grammar\MSGrammar\3.0\1033

    HKCU\Software\Microsoft\Shared Tools\Proofing
    02:11:953 Registry Created Tools\Grammar\MSGrammar\3.0\1033\Option Set 0

    HKCU\Software\Microsoft\Shared Tools\Proofing
    02:11:953 Registry Created
    Tools\Grammar\MSGrammar\3.0\1033\Option Set 1

    02:11:953 Others Recorded system information

    HKCU\Software\Microsoft\Shared Tools\Proofing
    Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Name
    02:11:953 Registry Modified
    Grammar Only
    REG_SZ

    HKCU\Software\Microsoft\Shared Tools\Proofing
    Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Data
    02:11:953 Registry Modified
    1010101
    REG_BINARY

    HKCU\Software\Microsoft\Shared Tools\Proofing
    HKCU\Software\Microsoft\Shared Tools\Proofing
    Tools\Grammar\MSGrammar\3.0\1033\Option Set 0\Name
    02:11:953 Registry Modified
    Grammar & Style
    REG_SZ

    Process Operations, Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the
    02:11:953
    miscellaneous dynamic-link library

    HKCU\Software\Microsoft\Shared Tools\Proofing
    Tools\Grammar\MSGrammar\3.0\1033\Options Version
    02:11:953 Registry Modified
    1
    REG_DWORD

    HKCU\Software\Microsoft\Shared Tools\Proofing
    02:11:953 Registry Read Tools\Grammar\MSGrammar\3.0\1033
    Options Version

    HKCU\Software\Microsoft\Shared Tools\Proofing
    Tools\Grammar\MSGrammar\3.0\1033\Option Set 1\Data
    02:11:953 Registry Modified
    1010101
    REG_BINARY

    C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX


    Read
    02:11:985 Files Opened
    Normal

    02:11:985 Memory Mapped Files Created a file that can be used for memory mapping

    02:11:985 Registry Opened HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet
    02:13:610 Files Deleted
    Files\Content.Word\~WRS{0AF513FD-F7A4-44FB-80CB-0C4B210861A4}.tmp

    02:13:610 Files Deleted C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc

    02:13:641 Files Deleted C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml

    HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow
    02:13:688 Registry Modified 8 8 180 400 1
    REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\UI
    02:13:735 Registry Modified 68
    REG_BINARY

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip
    Write
    02:13:735 Files Created
    8100000

    HKCU\Software\Microsoft\VBA\6.0\Common\Tool
    02:13:735 Registry Modified 0
    REG_BINARY

    HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized
    02:13:735 Registry Modified 0
    REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow
    02:13:735 Registry Modified 0 0 800 560 1
    REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\FolderView
    02:13:735 Registry Modified 1
    REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected
    02:13:735 Registry Modified 0
    REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\Dock
    02:13:735 Registry Modified 14C0002
    REG_BINARY

    HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected
    02:13:735 Registry Modified 0
    REG_SZ
    Process Operations, Set a waiting mode until a specified object is in the signaled state or the time-out
    02:13:875
    miscellaneous interval elapses

    02:13:953 Files Deleted C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet
    02:13:953 Files Deleted
    Files\Content.Word\~WRS{C194387D-76DB-465D-A9CD-C73D5006B5D2}.tmp

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip
    Write
    02:13:953 Files Created
    8100000

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet
    02:14:016 Files Deleted
    Files\Content.Word\~WRF{7667F9FE-3D76-4014-84A1-480F8BC70EE1}.tmp

    02:14:016 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\CVRD699.tmp.cvr

    02:14:016 Files Deleted C:\Users\ADMINI~1\AppData\Local\Temp\54937.od

    Engine Analysis

    Engine Threat Name Severity

    GTI File Reputation TYPE_TROJAN ⬤ 5 - Very High

    GTI URL Reputation

    Gateway Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High

    Anti-Malware RDN/GenDownloader.avm ⬤ 5 - Very High

    YARA

    Custom Rules

    Sandbox ⬤ 2 - Low

    Final ⬤ 5 - Very High

    Sample is malicious: final severity level 5

    Embedded/Dropped content

    MD5 Name Category

    126AACB44244697509482C60C8556D40 969ae5dd-c456-4286-9c17-cf55f0ac7213.vba * ---

    516A986528AB3D16514FA983B0EA4CF7 VB12.pip * ---

    36A5B5B1F0AC95E51AB417DD0D4BBF8D Word12.pip * ---

    * Attachments were extracted from the sample file and stored in the dropfiles.zip

    Screenshots

    Note: a pop-up window was detected during dynamic analysis so user interaction may be required in order to fully analyze this sample

    Images: 19

    21246.jpg
    216f9.jpg

    26528.jpg
    2931e.jpg

    2a31c.jpg
    1020e.jpg

    2d140.jpg
    28e6b.jpg

    2bc8f.jpg
    1122b.jpg

    269db.jpg

    2550b.jpg
    f57b.jpg

    279ca.jpg

    27e7d.jpg
    2a7cf.jpg

    2cc7d.jpg
    2b7dc.jpg

    e52f.jpg
    SPIDER.doc

    Run-Time Dlls: 8
    api-ms-win-appmodel-runtime-l1-1-0.dll

    vbe6intl.dll

    comctl32.dll

    oleaut32.dll

    shlwapi.dll

    vbe6.dll

    version.dll

    wwlib.dll
    wwlib.dll

    File Operations: 36

    Files Created

    File Name Access Mode File Attributes

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\VB12.pip Write 8100000

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word12.pip Write 8100000

    C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Write Hidden

    C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc Write Hidden

    Files Opened

    File Name Access Mode File Attributes

    C:\Program Files (x86)\Common Files\Microsoft Shared\PROOF\MSGR3EN.LEX Read Normal

    C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE.config Read Normal

    C:\Windows\Microsoft.NET\Framework\\v1.0.3705\clr.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v1.0.3705\mscorwks.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v1.1.4322\clr.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v1.1.4322\mscorwks.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v2.0.50727\clr.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v2.0.50727\mscorwks.dll 20000 10000000

    C:\Windows\Microsoft.NET\Framework\\v4.0.30319\clr.dll 20000 10000000

    Files Deleted

    C:\Users\ADMINI~1\AppData\Local\Temp\54937.od

    C:\Users\ADMINI~1\AppData\Local\Temp\CVRD699.tmp.cvr

    C:\Users\Administrator\AppData\Local\Microsoft\Schemas\MS Word_restart.xml

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{7667F9FE-3D76-4014-84A1-


    480F8BC70EE1}.tmp

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0AF513FD-F7A4-44FB-80CB-


    0C4B210861A4}.tmp

    C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C194387D-76DB-465D-A9CD-


    C73D5006B5D2}.tmp

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\969ae5dd-c456-4286-9c17-cf55f0ac7213.LNK

    C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\afkadfzmhi.LNK

    C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

    C:\afkadfzmhi\~$9ae5dd-c456-4286-9c17-cf55f0ac7213.doc

    Files Read

    C:\Windows\Microsoft.NET\Framework\

    C:\Windows\Microsoft.NET\Framework\v2.0.50727

    Normal

    Directories Created/Opened

    New Directory Template Directory

    C:\Users\ADMINI~1\AppData\Local\Temp\VBE
    Memory Mapped Files

    Created a file that can be used for memory mapping

    Other

    Determined whether a disk drive C:\ is a removable, fixed, CD-ROM, RAM disk, or network drive

    Obtained a set of FAT file system attributes for a file or directory

    Obtained the current directory for the current process

    Obtained the path of the Windows system directory

    Retrieved the full path for the module

    Retrieved the path of the directory designated for temporary files

    Searched a directory for the name: C:\Windows\Microsoft.NET\Framework\\*

    Searched a directory for the name: Normal

    Registry Operations: 108

    Registry Created

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 0

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Set 1

    HKCU\Software\Microsoft\VBA\6.0\Common

    Registry Opened

    HKCR\Licenses

    HKCR\TypeLib

    HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}

    HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0

    HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0

    HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32

    HKCR\TypeLib\{00020813-0000-0000-C000-000000000046}

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\0\win32

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\409

    HKCR\TypeLib\{00020905-0000-0000-C000-000000000046}\8.4\9

    HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}

    HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0

    HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0

    HKCR\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32

    HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}

    HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4

    HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0

    HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32
    HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.4\0\win32

    HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}

    HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0

    HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0

    HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\3.0\0\win32

    HKCU\Software\Microsoft\.NETFramework

    HKCU\Software\Microsoft\VBA\6.0\Common

    HKCU\Software\Microsoft\VBA\6.0\Common\Designers

    HKCU\Software\Microsoft\VBA\6.0\Common\ToolboxControls

    HKCU\Software\Microsoft\VBA\VBE\6.0\Addins

    HKLM\SOFTWARE\Microsoft\Fusion

    HKLM\SOFTWARE\Microsoft\VBA\Monitors

    HKLM\Software\Microsoft\.NETFramework

    HKLM\Software\Microsoft\.NETFramework\Policy\Upgrades

    HKLM\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0

    HKLM\Software\Microsoft\Windows

    HKLM\Software\Microsoft\Windows\HTML Help

    HKLM\Software\Microsoft\Windows\Help

    Registry Modified

    Key NewValue Type

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option

    Set 0\Data 1010101 REG_BINARY

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option Grammar &


    REG_SZ
    Set 0\Name Style

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option


    1010101 REG_BINARY
    Set 1\Data

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Option


    Grammar Only REG_SZ
    Set 1\Name

    HKCU\Software\Microsoft\Shared Tools\Proofing Tools\Grammar\MSGrammar\3.0\1033\Options


    1 REG_DWORD
    Version

    HKCU\Software\Microsoft\VBA\6.0\Common\CtlsShowSelected 0 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\Dock 14C0002 REG_BINARY

    HKCU\Software\Microsoft\VBA\6.0\Common\DsnShowSelected 0 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\FolderView 1 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\MainWindow 0 0 800 560 1 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\MdiMaximized 0 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\PropertiesWindow 8 8 180 400 1 REG_SZ

    HKCU\Software\Microsoft\VBA\6.0\Common\Tool 0 REG_BINARY

    HKCU\Software\Microsoft\VBA\6.0\Common\UI 68 REG_BINARY

    Registry Read

    Enumerated registry keys


    HKCU\Software\Microsoft\Shared Tools\Proofing
    Options Version
    Tools\Grammar\MSGrammar\3.0\1033

    HKCU\Software\Microsoft\VBA\6.0\Common AlignToGrid

    HKCU\Software\Microsoft\VBA\6.0\Common AutoIndent

    HKCU\Software\Microsoft\VBA\6.0\Common AutoQuickTips2

    HKCU\Software\Microsoft\VBA\6.0\Common AutoStatement2

    HKCU\Software\Microsoft\VBA\6.0\Common AutoValueTips2

    HKCU\Software\Microsoft\VBA\6.0\Common BackGroundCompile

    HKCU\Software\Microsoft\VBA\6.0\Common BackgroundProjectLoad

    HKCU\Software\Microsoft\VBA\6.0\Common BreakOnAllErrors

    HKCU\Software\Microsoft\VBA\6.0\Common BreakOnServerErrors

    HKCU\Software\Microsoft\VBA\6.0\Common CodeBackColors

    HKCU\Software\Microsoft\VBA\6.0\Common CodeForeColors

    HKCU\Software\Microsoft\VBA\6.0\Common CollapseWindows

    HKCU\Software\Microsoft\VBA\6.0\Common CompileOnDemand

    HKCU\Software\Microsoft\VBA\6.0\Common CtlsShowSelected

    HKCU\Software\Microsoft\VBA\6.0\Common Dock

    HKCU\Software\Microsoft\VBA\6.0\Common DragDropInEditor

    HKCU\Software\Microsoft\VBA\6.0\Common DsnShowSelected

    HKCU\Software\Microsoft\VBA\6.0\Common EndProcLine

    HKCU\Software\Microsoft\VBA\6.0\Common FolderView

    HKCU\Software\Microsoft\VBA\6.0\Common FontCharSet

    HKCU\Software\Microsoft\VBA\6.0\Common FontFace

    HKCU\Software\Microsoft\VBA\6.0\Common FontHeight

    HKCU\Software\Microsoft\VBA\6.0\Common FullModuleView

    HKCU\Software\Microsoft\VBA\6.0\Common GridHeight

    HKCU\Software\Microsoft\VBA\6.0\Common GridWidth

    HKCU\Software\Microsoft\VBA\6.0\Common IndicatorBar

    HKCU\Software\Microsoft\VBA\6.0\Common IndicatorColors

    HKCU\Software\Microsoft\VBA\6.0\Common MainWindow

    HKCU\Software\Microsoft\VBA\6.0\Common MdiMaximized

    HKCU\Software\Microsoft\VBA\6.0\Common NotifyUserBeforeStateLoss

    HKCU\Software\Microsoft\VBA\6.0\Common OBGroupMembers

    HKCU\Software\Microsoft\VBA\6.0\Common OBSearchHeight

    HKCU\Software\Microsoft\VBA\6.0\Common PropertiesWindow

    HKCU\Software\Microsoft\VBA\6.0\Common ReadOnlyMode

    HKCU\Software\Microsoft\VBA\6.0\Common RequireDeclaration

    HKCU\Software\Microsoft\VBA\6.0\Common SaveBeforeRun

    HKCU\Software\Microsoft\VBA\6.0\Common ShowGrid

    HKCU\Software\Microsoft\VBA\6.0\Common ShowToolTips
    HKCU\Software\Microsoft\VBA\6.0\Common ShowToolTips

    HKCU\Software\Microsoft\VBA\6.0\Common SyntaxChecking

    HKCU\Software\Microsoft\VBA\6.0\Common TabWidth

    HKCU\Software\Microsoft\VBA\6.0\Common Tool

    HKCU\Software\Microsoft\VBA\6.0\Common UI

    HKCU\Software\Microsoft\VBA\6.0\Common UpgradeVBX

    HKLM\SOFTWARE\Microsoft\Fusion NoClientChecks

    HKLM\Software\Microsoft\.NETFramework InstallRoot

    HKLM\Software\Microsoft\.NETFramework OnlyUseLatestCLR

    HKLM\Software\Microsoft\.NETFramework UseLegacyV2RuntimeActivationPolicyDefaultValue

    HKLM\Software\Microsoft\Windows\HTML Help VbLR6.chm

    HKLM\Software\Microsoft\Windows\Help VbLR6.chm

    Other

    Enumerated the values for an open registry key

    Process Operations: 21

    Process Created

    Process Name Module

    C:\AFKADFZMHI\EXCEL.EXE

    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE14\EXCEL.EXE

    c:\windows\splwow64.exe c:\windows\splwow64.exe 12288

    {0E5AAE11-A475-4C5B-AB00-C66DE400274E}

    {1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}

    {33C53A50-F456-4884-B049-85FD643ECFED}

    {529A9E6B-6587-4F23-AB9E-9C7D683E3C50}

    {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}

    {88D969EC-8B8B-4C3D-859E-AF6CD158BE0F}

    {88D969EF-F192-11D4-A65F-0040963251E5}

    {DFFACDC5-679F-4156-8947-C5C76BC0B67F}

    {FA445657-9379-11D6-B41A-00065B83EE53}

    Thread Created

    65001f64

    Other

    Changed the protection attribute of process address: 0x2f9d1634, new attribute: Execute_Read

    Changed the protection attribute of process address: 0x2f9d1634, new attribute: Execute_ReadWrite

    Disabled the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications for the dynamic-link library

    Initialized COM library for the current thread and set it in the concurrency mode

    Obtained the contents of the specified variable from the environment block of the calling process

    Obtained the identifier of the thread or process that created the specified window

    Retrieved information on a specific string in the current activation context


    Set a waiting mode until a specified object is in the signaled state or the time-out interval elapses

    Other Operations: 7

    Others

    Initialized a critical section object and set the spin count for the critical section

    Obtained the current system date and time in in Coordinated Universal Time (UTC) format

    Obtained the system metric or system configuration setting

    Recorded system information

    Retrieved an integer from a key in a section of the Win.ini file

    Retrieved information about a locale specified by a identifier

    Retrieved the current local date and time

    McAfee Active Response

    Status: Product is not Available

    © 2020 McAfee, LLC. All rights reserved.


    © 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

    You might also like