Analysis
-
max time kernel
73s -
max time network
28s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:48
Static task
static1
Behavioral task
behavioral1
Sample
af56714d4d1754000f42f1e8220d1b64.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
af56714d4d1754000f42f1e8220d1b64.doc
Resource
win10v20201028
General
-
Target
af56714d4d1754000f42f1e8220d1b64.doc
-
Size
420KB
-
MD5
af56714d4d1754000f42f1e8220d1b64
-
SHA1
e920748f1ac768b0f35c02a6b121fc496412ba6d
-
SHA256
a82c6a23644bfd7b236b737e30582f01e65632b5786fbe6b9c52191eb1eaf714
-
SHA512
b52938dece21877a8924c25d47cdba09ff112a81d96ed046131848485246854b52477c2b6f04fbaee72cd5a3cb053b8fa1cefcd64b85d08bc6140ce80984e3c1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1408 1828 powershell.exe WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
803d76071.exepid process 1880 803d76071.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exepid process 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1828 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1408 powershell.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE 1828 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEpowershell.exedescription pid process target process PID 1828 wrote to memory of 1408 1828 WINWORD.EXE powershell.exe PID 1828 wrote to memory of 1408 1828 WINWORD.EXE powershell.exe PID 1828 wrote to memory of 1408 1828 WINWORD.EXE powershell.exe PID 1828 wrote to memory of 1408 1828 WINWORD.EXE powershell.exe PID 1828 wrote to memory of 1564 1828 WINWORD.EXE splwow64.exe PID 1828 wrote to memory of 1564 1828 WINWORD.EXE splwow64.exe PID 1828 wrote to memory of 1564 1828 WINWORD.EXE splwow64.exe PID 1828 wrote to memory of 1564 1828 WINWORD.EXE splwow64.exe PID 1408 wrote to memory of 1880 1408 powershell.exe 803d76071.exe PID 1408 wrote to memory of 1880 1408 powershell.exe 803d76071.exe PID 1408 wrote to memory of 1880 1408 powershell.exe 803d76071.exe PID 1408 wrote to memory of 1880 1408 powershell.exe 803d76071.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\af56714d4d1754000f42f1e8220d1b64.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ep bypass -c .\aaa.ps12⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\programdata\803d76071.exe"C:\programdata\803d76071.exe"3⤵
- Executes dropped EXE
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
C:\programdata\803d76071.aaaMD5
2bb165a96a9d2e77aa202b9ed6f30c48
SHA17120be00500f70ebceb9e24cdc692d390054a9e5
SHA256bae2b1fe61602413ca6b39f7f8f35fcfcdd593c976f246942143313527dfe27f
SHA512ba4a1c6360de1fdda0ae17afe7f441140620c7569842fdf407f9126e268dd436d478670d901648e2969b7fefaff9f15c0e4f4bd0ac282bc59871a8ebb1507567
-
C:\programdata\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
C:\programdata\McAfeeServiceWT0P.batMD5
b9772ff4b233b840bfa9cee878c96d98
SHA127ea3d7cffe7c53e34c0ea207bd2961bd20ce9d2
SHA25622fa3e73b43dea152b3022720eb2a4944f7d99513a37ff19f1be91e021583183
SHA5121e57e3b4e89a7176e9b802e9e2be61102fc7ccc490a94c69f7ef02744a26a80c8a401685ce62d3d9bc7d005ee1c5253aeb54aaca9acb461b705c49654f5c8f1e
-
C:\programdata\McAfeeServiceWT1P.batMD5
e458872a49d1aafabbc21722c227bce6
SHA12af39efed337ad0ccf5570661bfde261d1ef8635
SHA25645645d184cab7baafd484bf766f65fd881ac9ed7520d723f1b71ea523c155821
SHA5123232e628a8579b9a73656ef53c22e033f8ca1528ef38c6081e8d6c8270757576f03b7f5b7402f9d1a67771e95b452999d192391bc1747138b45062b8881a9a58
-
C:\programdata\McAfeeServiceWT2P.batMD5
b77f03451a09f18bf1020ef131dfb3bc
SHA1f294907728b4497cd9fc79880d6d9b24ab8dd2d8
SHA25692d7151d5dc3b50971d4ea635606729a312f72f5ce3d61329599fbf4f68e3c95
SHA512262cb18e6f7185680451700e4ed2ca08dc51be6f8bf9dbe5a72bfc0b8cb9a17a277095f0f8ee08c8f52a49989e852e19dda101c6ec11bc1619d21b62250312e2
-
C:\programdata\McAfeeServiceWT3P.batMD5
6ee2b9392283a19d368228ac069c562d
SHA141b117e04ca6bb4c8f69ccdeacf8aa5f961edc17
SHA25604f45573e2c6a6b895be6fd9634dc20c98360dfec41d9f0025e72eec8a5dce18
SHA5124d8d53548dd4776b4a50e9a3b0c03fb99b35796e32202f0731ffc0e6cabfce21f2d86756c1bfe3912f214ed380cf9b0e1ff686400ea0978fb5d32bee7521c332
-
C:\programdata\McAfeeServiceWT4P.batMD5
04ed650f24448e41c13b452adf3bc115
SHA19cd3d5f085eb43fbb5bf70a940ccb465faae0324
SHA25686b6b152f2109ec289fa482b8ea6ff8bc8402428739ed5a79bf87ed632bcc4f5
SHA51210991aaaac33b0bd617271dcca7a0302d2954c1974a7a8c9d4be0c51694f944753926e03db80308b0da52dfb56ea01666da1f5be5d4b26d40f51e892a7e65ffb
-
C:\programdata\McAfeeServiceWT5P.batMD5
b69e4890bc742f4cd1a26f9f02e0b775
SHA1b8e21550197ce541b5f52815c2e5264d40e98e8a
SHA25619c714a8b054ed698b47c7faeab0be18906a161e5ac478e19ad80ed55e464462
SHA512996135c09925a6ba872acde523eeb57b61925c2c00079e6190da5f6a1c0d8a3007883069db885b76b754476d588160ed00631788e1dde995bc3e9743f6529945
-
C:\programdata\aaa.ps1MD5
810a730741e2488360ec31da9103fe9c
SHA1906010043149b15f38f40f8c98ef9e679a56b43a
SHA256412a5f3572bfa31a27749c54b12c26302d75acfc2630c8627c9488b706e5327e
SHA512125b5e8d34de6b6f3219ce89951570672857be92af8b8127344c0bdb1b1a5e8afa937cfc1e5e7e82772484d258214ae5e8a4f049d4dd5242d039995b71238c69
-
\ProgramData\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
\ProgramData\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
\ProgramData\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
\ProgramData\803d76071.exeMD5
bef2bcb61c1fa9af265659c4123c11ac
SHA176993db88b0f0c3ed6252b114636cf39a30220d6
SHA25614dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734
SHA5129072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb
-
memory/1408-9-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/1408-5-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/1408-19-0x0000000006420000-0x0000000006421000-memory.dmpFilesize
4KB
-
memory/1408-18-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/1408-13-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/1408-57-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/1408-8-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/1408-56-0x0000000006870000-0x0000000006871000-memory.dmpFilesize
4KB
-
memory/1408-42-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/1408-6-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/1408-26-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/1408-4-0x000000006A860000-0x000000006AF4E000-memory.dmpFilesize
6.9MB
-
memory/1408-3-0x0000000000000000-mapping.dmp
-
memory/1564-7-0x0000000000000000-mapping.dmp
-
memory/1828-2-0x00000000042B0000-0x00000000042B4000-memory.dmpFilesize
16KB
-
memory/1880-37-0x0000000000000000-mapping.dmp