Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 12:25
Behavioral task
behavioral1
Sample
5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc
Resource
win10v2004-20240709-en
General
-
Target
5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc
-
Size
1.3MB
-
MD5
3522ab23f2ac891db3002ea5846b155f
-
SHA1
a2a57208c98edcdb96a90b72e3bed06e6a1c35f3
-
SHA256
5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1
-
SHA512
2be7ed61fd02bbcf24b9637ec2ebbf97270dfc1e93ce11063202deb3d0f263135244edcf21eb1e3068c8637cdd52f1e20dd1130ae79373a3553eb13f44dcd74b
-
SSDEEP
12288:OXm5/PgVHXloQgPUqCQjDaX2Ky3UCTrg06fE2z40LwfIQ2YZXXvGw4dbt0cLyMPj:OW5el9qORXxCgVc2zpkZn4dBnlq
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exepowershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2140 1040 powershell.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2388 1040 powershell.exe WINWORD.EXE -
Processes:
powershell.exepowershell.exepid process 2140 powershell.exe 2388 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEpowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2388 powershell.exe 2140 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1040 WINWORD.EXE 1040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1040 wrote to memory of 568 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 568 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 568 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 568 1040 WINWORD.EXE splwow64.exe PID 1040 wrote to memory of 2140 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2140 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2140 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2140 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2388 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2388 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2388 1040 WINWORD.EXE powershell.exe PID 1040 wrote to memory of 2388 1040 WINWORD.EXE powershell.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "[System.IO.File]::WriteAllBytes('C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip', [System.Convert]::FromBase64String([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip.b64')))"2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD5908c9561b4d8a395c0e82028c9a1ba49
SHA15f7620f45023da81a7ddaf32f1c1b4c9ef89048d
SHA256b4f31548b761b49759443e1a69b9905bb155f03d2e3ab5da2b59563fe6d4b3ee
SHA5121d8a193f48c2cba727b4ca50877edca61d28ec433ad0cdfe9f3d30f95e7e9bef396629681ad270c521fb6e67a72eedb54c3bd5a18ff18c9fea8c153cf13c6566
-
Filesize
19KB
MD5b359ba15da0033772223bc572b759d2f
SHA15c1c449b2e01f67911cc1e2756adbb8e35a4ff45
SHA2568f1b2e14e0ecd5035c45230932d56a09915a18869ec7d3dbf3261642d522cf28
SHA5124bf9cd3d4b1d952ffb04f313c7d93e0beb3c7e3038ba332e791c5946fdf2f165bd94ae477986c1d63ef7de20e297d07aac98e022277727ba7f964401814e15d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f5922a9e6237f9b3a334261d104bc76f
SHA1c592ad37371187f71f433f8e15218fe2a6e1c686
SHA2566553bebe1d99f41789685d8dbe6aa17649e3761bd0efa22de012de4d8e7a42a5
SHA512c82053f2fabea9325ce0f14ca1cf82000d9f5f43d2cf5dad629eff9128f802edabbb487d5bc086d975cab307bf0b3fab9ddb016e6e40ab50754f2f14843c3a48
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e