5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc
Size

1.3MB
MD5

3522ab23f2ac891db3002ea5846b155f
SHA1

a2a57208c98edcdb96a90b72e3bed06e6a1c35f3
SHA256

5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1
SHA512

2be7ed61fd02bbcf24b9637ec2ebbf97270dfc1e93ce11063202deb3d0f263135244edcf21eb1e3068c8637cdd52f1e20dd1130ae79373a3553eb13f44dcd74b
SSDEEP

12288:OXm5/PgVHXloQgPUqCQjDaX2Ky3UCTrg06fE2z40LwfIQ2YZXXvGw4dbt0cLyMPj:OW5el9qORXxCgVc2zpkZn4dBnlq

Score

10^/10

discovery execution

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2140	1040	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2388	1040	powershell.exe	WINWORD.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2140 powershell.exe
2388 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE

pid	process
2140	powershell.exe
2388	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEpowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1040 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2388 powershell.exe
2140 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2140 powershell.exe
Token: SeDebugPrivilege 2388 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1040 WINWORD.EXE
1040 WINWORD.EXE

pid	process
1040	WINWORD.EXE

pid	process
2388	powershell.exe
2140	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe

pid	process
1040	WINWORD.EXE
1040	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1040 wrote to memory of 568	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 568	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 568	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 568	1040	WINWORD.EXE	splwow64.exe
PID 1040 wrote to memory of 2140	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2140	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2140	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2140	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2388	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2388	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2388	1040	WINWORD.EXE	powershell.exe
PID 1040 wrote to memory of 2388	1040	WINWORD.EXE	powershell.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5f88ca1aaf3be23a9494d2490813fd17797025557042722e2a49d8508ec15bb1.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "[System.IO.File]::WriteAllBytes('C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip', [System.Convert]::FromBase64String([System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip.b64')))"
2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip' -DestinationPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\UiNexual.zip.b64

Filesize
242KB

MD5
908c9561b4d8a395c0e82028c9a1ba49

SHA1
5f7620f45023da81a7ddaf32f1c1b4c9ef89048d

SHA256
b4f31548b761b49759443e1a69b9905bb155f03d2e3ab5da2b59563fe6d4b3ee

SHA512
1d8a193f48c2cba727b4ca50877edca61d28ec433ad0cdfe9f3d30f95e7e9bef396629681ad270c521fb6e67a72eedb54c3bd5a18ff18c9fea8c153cf13c6566

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
b359ba15da0033772223bc572b759d2f

SHA1
5c1c449b2e01f67911cc1e2756adbb8e35a4ff45

SHA256
8f1b2e14e0ecd5035c45230932d56a09915a18869ec7d3dbf3261642d522cf28

SHA512
4bf9cd3d4b1d952ffb04f313c7d93e0beb3c7e3038ba332e791c5946fdf2f165bd94ae477986c1d63ef7de20e297d07aac98e022277727ba7f964401814e15d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f5922a9e6237f9b3a334261d104bc76f

SHA1
c592ad37371187f71f433f8e15218fe2a6e1c686

SHA256
6553bebe1d99f41789685d8dbe6aa17649e3761bd0efa22de012de4d8e7a42a5

SHA512
c82053f2fabea9325ce0f14ca1cf82000d9f5f43d2cf5dad629eff9128f802edabbb487d5bc086d975cab307bf0b3fab9ddb016e6e40ab50754f2f14843c3a48

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1040-0-0x000000002F881000-0x000000002F882000-memory.dmp

Filesize
4KB

Download
memory/1040-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1040-2-0x00000000709ED000-0x00000000709F8000-memory.dmp

Filesize
44KB

Download
memory/1040-5-0x00000000709ED000-0x00000000709F8000-memory.dmp

Filesize
44KB

Download
memory/1040-6-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-8-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-12-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-27-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-45-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-55-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-58-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-59-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-57-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-56-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-54-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-68-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-66-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-65-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-64-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-63-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-62-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-61-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-53-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-52-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-50-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-49-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-48-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-47-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-46-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-44-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-43-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-41-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-42-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-40-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-39-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-38-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-37-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-35-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-34-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-33-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-32-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-31-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-30-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-29-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-28-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-26-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-25-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-24-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-23-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-22-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-20-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-21-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-19-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-18-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-17-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-16-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-15-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-14-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-13-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-11-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-9-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-10-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-7-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1040-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download