a82c6a23644bfd7b236b737e30582f01e65632b5786fbe6b9c52191eb1eaf714

Analysis

max time kernel
73s
max time network
28s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af56714d4d1754000f42f1e8220d1b64.doc
Size

420KB
MD5

af56714d4d1754000f42f1e8220d1b64
SHA1

e920748f1ac768b0f35c02a6b121fc496412ba6d
SHA256

a82c6a23644bfd7b236b737e30582f01e65632b5786fbe6b9c52191eb1eaf714
SHA512

b52938dece21877a8924c25d47cdba09ff112a81d96ed046131848485246854b52477c2b6f04fbaee72cd5a3cb053b8fa1cefcd64b85d08bc6140ce80984e3c1

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1408	1828	powershell.exe	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

803d76071.exe

pid process

1880 803d76071.exe
Loads dropped DLL 4 IoCs

Processes:

powershell.exe

pid process

1408 powershell.exe
1408 powershell.exe
1408 powershell.exe
1408 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1880	803d76071.exe

pid	process
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1828 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1408 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1408 powershell.exe

pid	process
1408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEpowershell.exe

description	pid	process	target process
PID 1828 wrote to memory of 1408	1828	WINWORD.EXE	powershell.exe
PID 1828 wrote to memory of 1408	1828	WINWORD.EXE	powershell.exe
PID 1828 wrote to memory of 1408	1828	WINWORD.EXE	powershell.exe
PID 1828 wrote to memory of 1408	1828	WINWORD.EXE	powershell.exe
PID 1828 wrote to memory of 1564	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 1564	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 1564	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 1564	1828	WINWORD.EXE	splwow64.exe
PID 1408 wrote to memory of 1880	1408	powershell.exe	803d76071.exe
PID 1408 wrote to memory of 1880	1408	powershell.exe	803d76071.exe
PID 1408 wrote to memory of 1880	1408	powershell.exe	803d76071.exe
PID 1408 wrote to memory of 1880	1408	powershell.exe	803d76071.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\af56714d4d1754000f42f1e8220d1b64.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ep bypass -c .\aaa.ps1
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\programdata\803d76071.exe
"C:\programdata\803d76071.exe"
3⤵
- Executes dropped EXE
PID:1880

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
C:\programdata\803d76071.aaa
MD5
2bb165a96a9d2e77aa202b9ed6f30c48

SHA1
7120be00500f70ebceb9e24cdc692d390054a9e5

SHA256
bae2b1fe61602413ca6b39f7f8f35fcfcdd593c976f246942143313527dfe27f

SHA512
ba4a1c6360de1fdda0ae17afe7f441140620c7569842fdf407f9126e268dd436d478670d901648e2969b7fefaff9f15c0e4f4bd0ac282bc59871a8ebb1507567

Download Submit
C:\programdata\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
C:\programdata\McAfeeServiceWT0P.bat
MD5
b9772ff4b233b840bfa9cee878c96d98

SHA1
27ea3d7cffe7c53e34c0ea207bd2961bd20ce9d2

SHA256
22fa3e73b43dea152b3022720eb2a4944f7d99513a37ff19f1be91e021583183

SHA512
1e57e3b4e89a7176e9b802e9e2be61102fc7ccc490a94c69f7ef02744a26a80c8a401685ce62d3d9bc7d005ee1c5253aeb54aaca9acb461b705c49654f5c8f1e

Download Submit
C:\programdata\McAfeeServiceWT1P.bat
MD5
e458872a49d1aafabbc21722c227bce6

SHA1
2af39efed337ad0ccf5570661bfde261d1ef8635

SHA256
45645d184cab7baafd484bf766f65fd881ac9ed7520d723f1b71ea523c155821

SHA512
3232e628a8579b9a73656ef53c22e033f8ca1528ef38c6081e8d6c8270757576f03b7f5b7402f9d1a67771e95b452999d192391bc1747138b45062b8881a9a58

Download Submit
C:\programdata\McAfeeServiceWT2P.bat
MD5
b77f03451a09f18bf1020ef131dfb3bc

SHA1
f294907728b4497cd9fc79880d6d9b24ab8dd2d8

SHA256
92d7151d5dc3b50971d4ea635606729a312f72f5ce3d61329599fbf4f68e3c95

SHA512
262cb18e6f7185680451700e4ed2ca08dc51be6f8bf9dbe5a72bfc0b8cb9a17a277095f0f8ee08c8f52a49989e852e19dda101c6ec11bc1619d21b62250312e2

Download Submit
C:\programdata\McAfeeServiceWT3P.bat
MD5
6ee2b9392283a19d368228ac069c562d

SHA1
41b117e04ca6bb4c8f69ccdeacf8aa5f961edc17

SHA256
04f45573e2c6a6b895be6fd9634dc20c98360dfec41d9f0025e72eec8a5dce18

SHA512
4d8d53548dd4776b4a50e9a3b0c03fb99b35796e32202f0731ffc0e6cabfce21f2d86756c1bfe3912f214ed380cf9b0e1ff686400ea0978fb5d32bee7521c332

Download Submit
C:\programdata\McAfeeServiceWT4P.bat
MD5
04ed650f24448e41c13b452adf3bc115

SHA1
9cd3d5f085eb43fbb5bf70a940ccb465faae0324

SHA256
86b6b152f2109ec289fa482b8ea6ff8bc8402428739ed5a79bf87ed632bcc4f5

SHA512
10991aaaac33b0bd617271dcca7a0302d2954c1974a7a8c9d4be0c51694f944753926e03db80308b0da52dfb56ea01666da1f5be5d4b26d40f51e892a7e65ffb

Download Submit
C:\programdata\McAfeeServiceWT5P.bat
MD5
b69e4890bc742f4cd1a26f9f02e0b775

SHA1
b8e21550197ce541b5f52815c2e5264d40e98e8a

SHA256
19c714a8b054ed698b47c7faeab0be18906a161e5ac478e19ad80ed55e464462

SHA512
996135c09925a6ba872acde523eeb57b61925c2c00079e6190da5f6a1c0d8a3007883069db885b76b754476d588160ed00631788e1dde995bc3e9743f6529945

Download Submit
C:\programdata\aaa.ps1
MD5
810a730741e2488360ec31da9103fe9c

SHA1
906010043149b15f38f40f8c98ef9e679a56b43a

SHA256
412a5f3572bfa31a27749c54b12c26302d75acfc2630c8627c9488b706e5327e

SHA512
125b5e8d34de6b6f3219ce89951570672857be92af8b8127344c0bdb1b1a5e8afa937cfc1e5e7e82772484d258214ae5e8a4f049d4dd5242d039995b71238c69

Download Submit
\ProgramData\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
\ProgramData\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
\ProgramData\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
\ProgramData\803d76071.exe
MD5
bef2bcb61c1fa9af265659c4123c11ac

SHA1
76993db88b0f0c3ed6252b114636cf39a30220d6

SHA256
14dce17f99955f86b05970aa13e35680e879aaa190e598bdcdc4dbf54ee90734

SHA512
9072c3eb4f1ef3a8f15807db618af9180dd0b02bfaa9c0fc2191f9ec548f1e8ea837f14aeedda30e95781a5935e134f8ee40aa5c4ff0df5a32a0382ebc6af7eb

Download Submit
memory/1408-9-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/1408-5-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1408-19-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/1408-18-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1408-13-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/1408-57-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/1408-8-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1408-56-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/1408-42-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/1408-6-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1408-26-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/1408-4-0x000000006A860000-0x000000006AF4E000-memory.dmp

Filesize
6.9MB

Download
memory/1408-3-0x0000000000000000-mapping.dmp

Download
memory/1564-7-0x0000000000000000-mapping.dmp

Download
memory/1828-2-0x00000000042B0000-0x00000000042B4000-memory.dmp

Filesize
16KB

Download
memory/1880-37-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads