Analysis

  • max time kernel
    960s
  • max time network
    840s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 08:14

General

  • Target

    test.ps1

  • Size

    1KB

  • MD5

    09e2c59da57ed984a09ff11dc442b029

  • SHA1

    49b85d8cfe08b4d7cc7e077125339fc599191ae7

  • SHA256

    760b99362ec0a00b18dcd298c8a684b156f5af180b606a8d5c660a05d2d0b645

  • SHA512

    578d59b5f3d09de043200eed4186f360aa0cca4cca902ff5efb32f7e7ef250ea091c395d995d910ad1245158eaf52d163e0ea713d4830f4142ccca4670d4d0fb

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3060
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MountConnect.odt"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2488
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1916
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x304
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:972
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1128

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Filesize

        54B

        MD5

        3319cfd3704a0cdbb84ba01f0f3c7c26

        SHA1

        e69aa8c718562480fdff1ea92c0582128474dfb5

        SHA256

        9eb79fc2b70b325e0dbda70fd112e2050d64df64b36f63260d330655bda74b84

        SHA512

        1ff475012b473ddc9f337f7a270cdd5fe9b8ba06c25b7d3d26d72602cff1b3fe356372fa01a108bb0adcec08d80e18b3c9dc1d09ade9b0cccd1780fbde3cb159

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Filesize

        88B

        MD5

        77a58b5367230abd90d6a9d20c587247

        SHA1

        2972a4a396bad70d9d79c982c417c18da66d625a

        SHA256

        0698e65cb81995adac6061a25b882f204501f4d364e7ebd71bff6e5a4b58e637

        SHA512

        1edf7066b73120a42224a7b6052628b87313410ed0d6814d23b0ad42c454884270d2165446df30ad21ab2307b0206c25c7ecc486e4799f3ce3bcc7f367e7c1e3

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        a58cebe954119213d914a03222f91de0

        SHA1

        f5526d7a17c782f5bdc500a5ec08fba6bc491c62

        SHA256

        8b72a5d43fcd094cf76652d26b667de754f4b4083a1fca7812ad8e8b479bfe82

        SHA512

        0d489cfe51effef89d105fbc9dbf75fb621713e87b920362ceea381a77e02dc8590d78e9f73ebcbb37d3937bfbacced67cecf50fa68d5daedadd443a8ad8a5af

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • memory/1316-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2488-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2488-38-0x000000007155D000-0x0000000071568000-memory.dmp

        Filesize

        44KB

      • memory/2488-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2488-15-0x000000007155D000-0x0000000071568000-memory.dmp

        Filesize

        44KB

      • memory/2488-13-0x000000002F231000-0x000000002F232000-memory.dmp

        Filesize

        4KB

      • memory/3060-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-12-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-11-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-10-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-9-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-4-0x000007FEF5DDE000-0x000007FEF5DDF000-memory.dmp

        Filesize

        4KB

      • memory/3060-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

        Filesize

        32KB

      • memory/3060-7-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

        Filesize

        9.6MB

      • memory/3060-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

        Filesize

        2.9MB